I don't know best practices either, but it seems to me that having the file owned by the user running the web server might be a bad idea since it would then be writeable by that user, which introduces the possibility of overwriting the certificate from the web (though this would involve finding an exploit in the application that would allow saving to an arbitrary location).
If it is a dedicated WeBWorK server then having the certificate readable by everybody might not be a big deal since the only users on the server are system accounts and administrators.
If you wanted to get strict, I would think that the right approach would be to make the files readable by a group that the user running the web server belongs to.