It's been a while since I bestirred myself to change anything in my SSL
configuration (yes, I'm *still* running AOLserver 2.1 on one server...)
but I've got reason to consider SSL on one of my newer servers and I
don't want to pay Verisign more than I have to (and it's a different
domain name). So
Find out what browser types and versions you expect your users to use
and go see what CA certs are preloaded into them. That's the list of
CAs you should choose from. Getting a server cert from anyone else, or
generating your own, will cause your user's browsers to popup the
invalid site warning.