Coffee fueled sermon... sorry...
To add onto the previous comment, which I agree 100% with for the pros and cons, my recommendation is what your management wants, whatever that may be :) It really comes down to how much is the customers' trust worth vs. cost of implementation - that's a management and marketing decision. In IT we just provide suggestions to consider, the rollout costs for them to consider, and then implement it someday. As a PKI expert, I'm all for going forward with it - just know that there are a few small but critical caveats and things to know and to know about.
Anyways,
1) Note that many commercial CAs may require you to purchase additional licenses or copies of the same cert if you will be hosting it on multiple servers. If there are a decent number of servers you can typically negotiate a bulk deal. I've negotiated a few deals with the sales people that don't do per physical box licensing and told them its ridiclous to do it any other way, its a royal pain to track by site especially over time, and they've been pretty agreeable to give a custom change (cutting out costs by a lot from the more expensive vendors).
2) "some performance cost on your server" can be a huge understatement - doing this has been known on many occasions to down entire sites. Of course this all depends on how much data you push per page, customer volume, and existing CPU load. I would recommend a website load test under http and https on a non-production test server and compare the results to see if your normal traffic will increase, then actively monitor it closely especially during peak traffic times until you feel comfortable. If the load is an issue, see #4.
https://www.alertsite.com/aslp_web_load.html?ascamp=load+testing&gclid=CIWQ2pyIgJwCFSANDQod5DoZAAhttp://www.loadtestingtool.com/3) Understand that EV certs are relatively new to the market - however they have quickly gained acceptance and integration. Make sure to test with a number of browsers so you understand any potential compability issues. Usually they just need to update their browser software.
Microsoft root update: this is updated every few months always under KB931125 and is included in OS service packs, but is only a 'recommended' update from windows update. They can also install the latest IE version/service pack.
http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=enFireFox, Safari, Opera - install latest version - if it works for you it will work for your customers.
Chrome - uses the Microsoft root cert store.
Handhelds - instruct the user to view the details of the cert and verify the site name and thumbprint (aka fingerprint or hash value) and then instruct them to trust it. Make sure to verify so they can be confident that the root cert is actually the correct one and not a fake site that they mistyped.
4) If you want to use the green bar for non-sensitive pages to ensure trust in the validity of the content (which thank you for realizing this is another key reason to use certs, not just encrypting passwords) and the load does become an issue, there are things you can do:
- Reduce unnecessary images, or pull images from another server. Remember that when a page is https then all static links must also be https or the user will get a warning, reducing the trust level.
- Add another CPU. Simple, but effective.
- Add another server and load balance.
- If you have a load balancer, see if it can do SSL offloading, if it can consider doing this. If you don't and you have a lot of traffic, this might be an option to look into.
- Get an HSM card - these are available as PCI cards and as network appliances on a non-routed private network (backnet). They range from expensive (a grand or two for PCI cards) to 'you gotta be kidding me' (20-30k for appliances, plus expensive support contracts that you will really want to have). If you have a lot of servers, the appliance may be a good option, if you just need a little kick the PCI card is probably the best bet. As an added bonus, an HSM gives high-security protection to your website's private key. This is the hardware that the commercial CA's use to protect their CA private keys.
5) As with any cert, make sure you backup the private key and then remove that copy of the key from the server to reduce chance of comprimise. If it is on an HSM, read the manual or contact the manufacturer to determine how you can backup your private key so you don't end up like the German electronic health card folks about a few weeks ago... Granted with a web cert you can just buy a new one, but that can take a few days (especially with an EV cert) and will cost you more money when backing it up onto a locked up flash drive just makes sense.
