From my experience in dealing with SO and a fairly simple site using Google App Engine (and their authentication system), I’d give the following advice:

• Do NOT use OpenID for identification. It can work for authentication with your own identity management, but there are issues as soon as you try to identify a specific user.
• Its amazing how many open ids people will have, so be prepared to support multiple OpenID auth URLs (definitely more than 1, probably more than 2)
• If high security is a requirement, be very wary of OpenID. Many people will use providers that they normally only use for low-security tasks (and therefore have weak passwords). This particular issue struck Jeff Atwood directly (his account was stolen due to exactly this mistake)!
• Keep things simple for your users. If you do go with OpenID, emphasize one or two providers that they likely already have (eg, Google), and then provide a deemphasized selection for generic providers. Don’t make the more simple-minded users think about OpenID.
• Along with that thinking, a simple “Login with your Google Account” button works surprisingly well. I thought people would find it confusing to login to a third party site with their google account, but in practice this has not been a problem with our .appspot.com domain.

The bottom line is that you shouldn’t expect your users to prefer openid, but it can be an acceptable compromise. I don’t think that showing an invalid certificate is a reasonable option for many end-users.

Of course, the separate certs option is the cleanest, but you have to decide if thats really worth it for the value gained. I’m a cheapskate and would tend to avoid it myself. 🙂