I recently finished introducing custom CA infrastructure in two instances. Each having two sub CAs, two Servers and a bunch of users. The “create your own CA” part was quite easy after I found a dated but still accurate tutorial. In hindsight it is quite silly why I didn’t do this before.
On the server side I had to make it work on:
Each expecting its own Format/Packing of certificates, keys and certificate chains. :/
On the client side I had to produce installation and configuration howtos for Windows and OS X and a bunch of popular browsers and email clients. Then there is the “user education” part … this is still in progress, but its looking good.
All in all, I’m happy with the result. 🙂