There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html
and in the comments someone asked if there are any Public Certificate Authorities (CA) that issue directly off the Root CA Certificate. The response was:
"There are plenty...
Digicert, Verisign, Thawte, Comodo, to name a few."
This is incorrect, Public CA's are required to follow strict rules set in place by the CA Browser Forums and the Root Deployment programs of developers (e.g. Microsoft, Firefox or Apple).
CA Browser Forum: https://cabforum.org/baseline-requirements-documents/
Lets start off by Defining what a Public Certificate Authority is:
The CA Browser Forum defines a Public CA as "Public Certificate Authorities are companies or government agencies that have been authorized by browsers to issue SSL and code signing certificates. These organizations must undergo annual audits by third parties in order to insure they are following rules regarding the proper vetting, issuance and revocation of certificates. Certificates issued by companies that have not been approved by browsers will display a warning [Rick: will cause a warning to be displayed] when consumers browse to a page secured by that certificate."
- CA Browser Forum - Information for the Public- https://cabforum.org/info-for-consumers/
Now that we understand that Public CA's must follow guidelines we can move onto the Chain Certificate, also know as the Intermediate Certificate or an issuing CA.
The Chain Certificate is a certificate issued off of the Root Certificate and is used to issue the publicly trusted certificates that are provided the users and organizations that have requested certificates from the Public CA's, This allows contorl over certificate policies as there different types of certificates and verification types (e.g. DV, OV and EV... that is a whole different story). All Public CA's are requried to issue public trusted certificates off of a Chain Certificate and is a manditory requirement by the CA Borwser Forums and has been this way for some time now (2009 or 2010 I think)
So how can you work around the Asker's issue in the question I mentioned at the beginning of this post?
You can look into mobile appliances that will allow you to push or authenticate users that are not part of the domain a profile containing a certificate or the credentials needed to access the wireless network
Device certificate are another option, but the users would need to have access to a web page first. Entrust offers Device certificates off a non-trusted root certificate, even though they are a trusted CA. The user would click on a link and submit their information, a notification is sent to the system admin for approval and the requester is then sent a download which will download the Root, Chain and Public cert issued to them and allow them to authenticate on the network.
Entrust Device Certificates: http://www.entrust.net/mobile-devices/index.htm
Another option would be to issue your own certificates off an internal CA where you do not have to follow the guides lines of Baseline Requirments but you still have the same issue where the user is prompted to trust the certificates, unless they are on the domain, in that case you can push out the certificates.