We have, for years, had a self-signed CA in our tree that we use for all of
our various security needs (basically just generating KMOs so that we can
create secure webservers). It all works perfectly. When people hit our
sites they get told it's an untrusted certificate, but they can ignore it
(or add it to their trusted certificates) and everything works just dandy
from there.

We've recently decided, however, that we'd like to have our CA recognized by
a known, public entity such as Verisign or Thawte.

My question is whether we can purchase something from one of those companies
that will, in effect, cause our CA to become trusted (and by chain of
association cause all of our SSL certificates to become trusted). We'd
rather not have to purchase individual SSL certificates for each of our
webservers, so the hope is to create the trust as the top of our NDS tree,
and have that be the only thing we have to purchase.

The ideal is that we can buy something that we can 'apply' to the CA, and
have everything fall into line automatically. Second choice would be to buy
a CA that we had to install, and then have to reissue all of our KMOs, but
be able to do so expense-free (ie, make our own, any time, using the
now-trusted CA).

Is this doable? Simple? Impossible? If it is doable, what is it that I'd
be asking Verisign for?

Many thanks (and apologies for a lack of understanding - security is
something that we got to work and, once working, we never stopped to _learn_