Authentication is mandatory for every API endpoint, including search (try the API explorer provided on any API method page, you will see that you first have to register for an API key before you can use the API).
Without using TLS, your access credentials would be sent in the clear, which is obviously not acceptable.
You shouldn’t need a certificate for HTTP over TLS, if you did, then a user would need to install a certificate before visiting any secure website. Certificates are signed by a standard root authority, which is what clients check and trust, and ours is one which your Oracle server should already know about (assuming it is up to date). Of course, that assumes Oracle’s use of TLS and certificate management is standard, and is in line with that implemented by all browser and TLS enabled HTTP client libraries. I don’t have any personal experience of Oracle’s implementation though.
If you go to https://beta.companieshouse.gov.uk and click on the padlock in the address bar (works at least in Chrome or Safari), you will be able to see all the necessary certificate information, most importantly the root certificate authority.
Does that clarify things? Come back if you need…
Chris