OK, one other thing that just struck me regarding SSL issues, at least in the HTTP world... Verisign won't issue a server sert (x.509) for just "any" server, it has to be examined and approved (Apache finally got this), I believe Thawte Consulting, while more freewheeling, is also in a similar case. The reality is, you have to have a cert from someone who is pre-registered as a root server, or you're going to confuse your users.... sad but true.
Thawte will issue a type of certificate that can be used on any server on your domain (in addition to server certificates). Netscape accepts this type of certificate, but Microsoft Internet Explorer doesn't AFAIK. For testing purposes, we've issued our own certificates and dropped in Verisign or Thawte certificates afterwards. Regards, Jeff Bauer Rubicon, Inc.