Is there some security certificate being used by the server?
Yes, that is how SSL works in essentially every browser that supports it. The server is always authenticated through SSL's mechanisms. Thus, the server must always have a certificate and access to the associated private key. Furthermore, as the previous poster noted, the server's certificate must be signed by a public key the client has decided to trust ahead of time, e.g. Verisign, Thawte. You can examine a list of such trusted authorities through your browser, e.g. in my version of Firefox, you go to the Tools menu and select Options, then select Advanced, then select the Security tab, then select View Certificates, and finally select the Authorities tab to see the (suprisingly long) list.
The client is optionally authenticated in SSL. I believe most sites that need client authentication do not use this feature of SSL, but rather do simple username-password authentication inside of the encrypted SSL channel setup with server-only authentication.