Hi James,
Thanks a lot for this "Howto". This should help a lot admins trying to achieve similar behaviour.
This said, although this is already very helpful, I feel it deserves to move one (or two) steps further in order, for users playing in this area, to understand what it means to implement certificate issued from either you own CA or from "public" CA.
When client accesses server using certificate issued from "unknown" CA, behaviour is different depending on client.
All web browsers I know warn user that CA is unknown and allow you to trust such CA and therefore to access HTTPS web site.
For some other software, you may have to first download public part of CA key and store it in you list of "trusted CA" otherwise session is not established.
So what does it mean? If your web site is a public one, you may have a lot of clients you don't know, thus this is very difficult to ask them to either accept this unknown CA or to download and install first CA's public key. This is pretty obvious.
My point is more related to other servers (software) and protocols. Looking at IMAP, it's very likely that you manage or at least know all IMAP clients. deploying your own private CA here is much easier and cheaper than buy certificate from "well known company".
what I try to express is that, not totally in line with your last sentence that is to go for "well known CA"as much as possible, I would suggest to keep your money for certificates that really benefit from this, i.e. public web sites. For almost all other services, going for own CA is cheaper, more flexible and efinitely not less secure.