What I was saying about some big-client corporate networks (those who have lots of "road warriors," or very sensitive information), is that they create a certificate-authority (CA) within their corporation, and arrange for all of their computers to accept that authority (by adding it to the list on every browser).

Then, they protect sensitive internal sites and info by arranging those resources to accept only SSL connections, which may only be secured by a certificate issued by the company-CA ... not any external entity such as VeriSign.

The rationale is simple: "we trust ourselves, and no one else, with regard to this, our bread-and-butter data." Which is of course a very valid point-of-view.

The "chain of trust" notion of SSL, while it looks just-fine on paper, is really quite weak: VeriSign (and all the rest) really don't have much ability to verify the credentials that someone may present when they show-up wanting to buy a certificate. They naturally tend to just take the money, after maybe-performing a slight bit of "due diligence." Hardly unheard-of ... yet, not good enough.

Hey folks,
Any recommended CA to get a one for my website, looks like some folks here have experience in that?

Comodo
Verisign
GoDaddy

Whoever you registered your domain (if you have one) would most likely also sell SSL certs.