Hash: SHA1

First, while I think I understand PKI pretty well insert a caveat of
"I'm not an expert and I haven't gone and asked Digicert et al. for
their opinion."

As you probably know, a wildcard certificate's purpose is to have a
subject name that matches for anything at that level, for example the
wildcard certificate could be '*.novell.com' and will match for
bugzilla.novell.com, www.novell.com, support.novell.com, and all of
those things, but will not work for wiki.support.novell.com (at least,
that's what I'm told). The purpose of this cert is to be used by
clients directly. A CA, on the other hand, is not meant to be consumed
directly by clients in a way that matches with a DNS name or IP address.
For this reason I do not know that a wildcard certificate for a CA
makes any sense.

Certificates, when minted, are minted to have a purpose. For example,
encryption, or signing, or being a CA. With that in mind I have been
told that the biggest hurdle with what you want to do is getting the
CA-purposed certificate from the third-party CA. Why? What stops you
from becoming your own CA at that point and taking all of your signing
CA's business?

I think there are ways of getting around this, but I've never seen
somebody do this and as a result I expect it is either limited somehow
contractually, really expensive, or just not well understood. In any
case I'm interested to hear what your results are.

Good luck.
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

cyvTHqeLL+pTZvUuWMWS8VaCzExePr6AiBoeylw+OYPClPBGQx 2zP/00AM2HU5m2
AL9Fcbwi4QQkJS+4CXUlSodszkTqpcF4Abn0JXf2fE8xKw1bIs 3bFMuoz3+jrgaq
7kyPDsKE2EX053KnZfqm9f8JFhV2XFbPSNV3xzKYzNZS7vm8fL uwGBRWD7d56ozd
GbD0iCUZ2hERb1yeA04OcconVi70nLaAuZWUDbm2IRZzv5N7uO EcKKBNvm0cr37g
5wzSCaXkBUxcHen9KTlKGEPRZhURAltI7Wk3v8tRmGDh1mUGFg +05VvsFYG82FiM
CXRhFD9TbO1zT4Fae07S+HGPrMLY0mUg33mB2VgV61u5iNEuyy uAK/7HuG7Xof56