First you need to tell us what you’ll be using it for. If you want to encrypted/authenticated email, you’ll need to personal mail certificates. For a small org, no management is really necessary and you can get free public ones, but for a large one, you’ll either want to do it with Verisign or deploy your own PKI and enroll/publish the certs in AD with a GPO automatically.
If you want secure client server communication, public certs like the one from Verisign are the best. You won’t have any problems with your Windows Mobile or other devices. You need to publish these on your Front End servers.
For more detailed info, reply
Having set up a number of servers for PKI , I have found that the Microsoft Technet site is an encyclopedia of information for setting up M/S 2003servers and utilizing the M/S PKI services . Also check with your Certificate Authority to find out any recommendations they might have.
Hope this helps!
See my blog on certificates for additional considerations.