If you have a website that provides a service to clients outside of your organization, chances are it has a digital certificate that is publicly rooted. This means that the chain of trust leads to a root certificate issued by a well-known Certificate Authority (CA) already trusted by your users’ browsers and other major application technologies (e.g., Java). Leveraging a public root enables you to instantly achieve universal trust across your user base.
You may also have a number of other servers that are not external facing and will not need publicly rooted certificates. These servers, however, may still need authentication and signing capabilities to establish a secure TLS session with other internal servers or applications. The root of trust for these servers would be a private Certificate Authority CA; a CA of your own.