dropbear is the default SSH server installed with OpenWrt and
uhttpd is the default web server installed with OpenWrt.
Certificates are used for two reasons:
There is not the same "issue" with ssh as it assumes that you can check the validity of the certificate the first time you see it. Generally your ssh client will show you a certificate "fingerprint" and ask if you trust it. Admittedly, most people just say "Y", but the option is there for "manual" verification (as well as some complex ways to establish certificate trust that most individuals don't configure).
With a web browser, things are a little different. They are designed for non-expert users and try to protect them from malicious activity. In a web browser, the authentication part is just as important as the encryption part. This is generally handled by a chain of trust -- there are several dozen "generally trusted" authorities that issue certificates, or entrust others and "sign" for their trustworthiness. Their certificates can be used to confirm that a different certificate is "trustworthy" when it is presented. These "top-level" certificates are generally delivered with the browser, and/or through a "CA bundle" or the like from some other trusted source.
In a typical HTTP-S connection, the certificate of the server is sent. The browser compares the "name" of the server on the certificate with that of the URL requested. Unless things are really misconfigured, they match, even with "self-signed" certificates. Then it checks to see if the signature on that certificate is "trusted" against its CA store. If it matches properly, the browser sets up the connection and starts talking over an encrypted channel. These days, there is an indication in the UI that this match has occurred, like
If it does not match a known, trusted CA, then it can still be used for encryption, but it requires explicit confirmation on the user's part in current browsers, since there is no way for the browser to confirm that you're talking with my-bank.example.com or the like. A different message is shown in most browsers to say "well, your browser doesn't really trust this connection"