I'm pretty used to creating the PKI used for x509 authentication for whatever reason, SSL Client Verification being the main reason for doing it. I've just started to dabble with OpenVPN (Which I suppose is doing the same things as Apache would do with the Certificate Authority (CA) certificate)

We've got a whole bunch of subdomains, and applicances which currently all present their own self-signed certificates. We're tired of having to accept exceptions in Chrome, and we think it must look pretty rough for our clients having our address bar come up red.

For that, I'm comfortable to buy a SSL Wildcard CN=*.mycompany.com. That's no problem.

What I don't seem to be able to find out is:

1. Can we have our Internal CA root signed as a child of our wildcard certificate, so that installing that cert into guest devices/browsers/whatever doesn't present anything about an untrusted root?
2. Also, on a bit of a side point, why does the addition of a wildcard double the cost of certificate purchase?