I expect that'd do it; you'll still need to install the CA certificate in browsers, though. I have a similar setup, but with a CA cert generated in-house.
No you don't. The server hands out both certificates during the connection process. It just works ;-)
That appears to depend on the client - it certainly doesn't work with Mozilla, and Eudora needs some manual steps that the users seem to have trouble with. OTOH, it _shouldn't_ work automatically; the cert is no more inherently trustworthy than any random one somebody has generated.
In your case it sounds like you aren't using a certificate signed by any known authority.
Indeed.
He is - he's just using one signed by someone who was signed by a known authority. Nothing needs to be installed in the browser.
OK - I must've misunderstood his initial email.
Craig Ringer