At the moment you have the choice between a commercial PKI or your own PKI. The commercial PKI were created at the beginning to enable secure commerce over the Internet, basically securing HTTP. The pricing of certificates was calculated on a per host basis. The cost is more expensive than for a domain name because of the costs to identify the owner of the certificate (tracability), but also as a percentage into your e-commerce profits. Unfortunately this vision of a host basis has some major limitations. It is still acceptable to have a certificate to secure POP, IMAP, and other protocols, but when you need a certificate for each e-mail box on your network, costs start to skyrocket as well as the administrative burden to register all these certificates to the Certificate Authority and that every year. This problems exists too if you want to use certificates to authenticate clients in client/server applications (Web server, IPsec,..)
Why not have a certificate that can sign other certificates? At the moment the only option is to build your own Certificate Authority as described in this document. This allows flexible management of certificates but is limited to the people in your organisation, because people outside your organisation will have to load your root CA certificate to allow smooth operations.
The solution an unique PKI managed by a central authority in a similar format as DNS is managed. This is called a Global PKI.
