Usually it's quite easy to pass this (a single vendor) - you just need to get verified by a WebTrust recognized company (E&Y or some other bookkeeping company) and be able to convince the vendor (the process is pretty much the same with each vendor).

However you'll need to build and run your infrastructure upfront so you're already burning some years money just to get those documents. When you finally get them and become ready to apply for inclusion with the vendors (Apple/MSFT/GOOG/Mozilla/Debian etc) it will take another couple of months. Even when you're included there is a big chance that it will take a couple of years to reach a high enough distribution rate to be acceptable for business purposes (think of old android devices or Windows XP).

Getting cross-signed by another CA costs money and they will re-validate your setup as you will sign "below" their root CA.

I wonder what the total initial and running costs of starting up a CA (including WebTrust & yearly re-audit) are today...

> apply for inclusion with the vendors (Apple/MSFT/GOOG/Mozilla/Debian etc) it will take another couple of months

Mozilla takes ~1.5 years to include a CA.

> I wonder what the total initial and running costs of starting up a CA (including WebTrust & yearly re-audit) are today...

Without including man-hours, I've estimated it to be $550k for creating and maintaining a CA for three years. The audits make up a large majority of this. Big firms like E&Y charge a lot, which is what my estimate is based off of. You also need HSMs + places to store the HSMs, a CP(S), etc. If you've ever read the WebTrust guidelines, you'll know you need a lot of accountability and security.

You could probably reduce the figure with a small auditing firm. My estimates of course are estimates. Certly got quoted $120k/yr (not including a readiness audit) for a WebTrust audit by E&Y.