If your certificates will be used to verify a small number of domains (e.g. *.yourcompany.com) but you want others outside of your organization to be able to browse to your website using https without having to manually import a root certificate, then you can get an [https://en.wikipedia.org/wiki/Public_key_certificate SSL certificate] from one of the CAs who already have a root certificate [[CA/Included_CAs|included in Firefox]], or get an [https://en.wikipedia.org/wiki/Intermediate_certificate_authorities intermediate certificate] cross-signed by one of the CAs who already have a root certificate [[CA/Included_CAs|included in Firefox]].
Reference: https://developer.mozilla.org/docs/Mozilla/Security/x509_Certificates#CAs_included_in_Firefox
=== Who decides which CA certificates to include in Mozilla products? ===