Thanks - I guess I'm looking for a way to do this with "universal" root
certs, similar to the way a browser works. - where you don't need the
specific cert/key of the other host, provided that it is signed by a
recognized CA (such as VeriSign)