Sorry if this is too much of a newbie question, I am just starting to learn
about certificate services & PKI.....

We are a relatively small company (<100), but we wish to implement a public
key infrastructure using our Server 2003/SP1 servers (all our clients are
XP/SP2). We want to have digital signing for files, emails, etc and will
also be implementing smartcard login.

>From my certificate services reading, it seems that we want to have a
enterprise level certification authority. So that means we need a root CA
and 1 or more subordinate CAs. Also from my reading it seems that securing
the root CA is extremely important, and it is recommended that we have the
root CA offline and locked up.

Being a small company, the cost to do this seems a bit excessive.

Would it be possible to have one of the existing well known CAs (verisign or
thawte or ...) be our root CA? ie, can we have them sign our subordinate
CA's certificate? That would satisfy the "secure/locked up" requirement,

I have visited both Verisign & Thawte's sites, and couldnt find anything
about this.

Is this possible? what kind of cost am I looking at to do this?

Thanks for any info,