The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.
The reason is simple: most customers of these devices prefer to implement them in transparent proxy mode, which requires no endpoint device (browser, etc.) configuration, no pushing of internal certs, etc. Browsers are talking on 80/443 happily unaware that their traffic is being proxied, and the SSL server certs being presented by Google or Facebook or their bank are not actually certs from those servers...they're Blue Coat's imposter certificates, generated on-demand.
I will tell you what Fedora version I plan to skip: whatever initially switches us to Wayland. That will be a guaranteed shit-show, and a good call to avoid upgrading for a few months. But 24 is solid methinks.
Thanks! Yeah, I'll likely sit that one out as well. X works just fine for what I do.
"The voters have spoken, the bastards..." -- unknown