It looks like we'll be deploying an update that'll get our Certificate Authorities imported as trusted to all workstations. We can't just use AD for this since a goodly percentage of our machines aren't imported in AD. This has a number of benefits:

• Users won't get the warning message about 'untrusted certificates' when hitting some services
• We can sign more stuff
• And possibly most important, we can stop paying VeriSign weyrgelt everytime we need to set up a secure service and don't want worrying messages to come up