You can use Open SSL to generate a working valid certificate. The problem is simple. 95% of the browser market is IE. If a certificate signer is not on the list of 'valid' providers in IE then you get the pop up. M$ no doubt extorts money from those providers that get on the IE list. After all they can remove you from this list with the latest 'security' hotfix.....

The only practical solution is for a creative virus writer to write a virus that inserts 'OpenSSL INC' as a trusted certificate provider.....and hack OpenSSL to issue certificates from afore mentioned INC.

With M$ total domination of the browser market there is plenty of potential for all sorts of rorts.