YesBalala <root@10.0.0.1> writes:
> That option is off because we are providing public service, we will
> need a root certificate from trusted authority.
>
> >Alternativly, how many domains do you want certified - A previous
> >customer of mine uses a single domain name, but appends different
> >directories off the domain for different projects - They all sit
> >comfortably under a single certificate....
>
> We have lots of different domains for varies departments, we just want
> to consolidate things so our clients (departments) can go thru us to
> get the certificate in one stop.

You want basically the Verisign Managed PKI (formerly OnSite) or
Thawte SPKI service:

http://www.verisign.com/products/onsite/ssl/index.html
http://www.thawte.com/spki/index.html

It's a remotely operated CA where Verisign handles the technical end.
Cost per cert is lower than buying all your certs separately, but not
by much.

Thawte used to sell chained CA certs that would let you become an
actual CA in your own right the way you're asking. They charged about
$100,000 for the CA certification, plus a fee of a few bucks on each
cert you signed, and of course there was a lot of legal and technical
negotiation required. A few other commercial CA's including Equifax
got their start from Thawte that way. Verisign realized that Thawte
was busy creating new Verisign competitors, so Verisign bought out
Thawte and the practice stopped.

You can also go directly to browser vendors, convince them that you're
a legitimate public CA, and get your root cert installed in future
releases of the browsers. But then you have to wait a few release
cycles (years) before most users have browsers recent enough to
contain your root cert.

Finally, maybe you can just buy a wildcard certificate and use it on
all your servers, if you feel that doesn't create too much chaos. Why
do you have so many departments running their own public-facing SSL
servers anyway?