When an organization creates its own local CA without going for an external one, it’s called a private CA. In this case, the certificates are signed with the private key of the organization’s root certificate(the foremost certificate created to sign other certificates). Private CAs can be created to issue certificates for an organization’s internal network where discretion is required, and only a select group of users are involved. They may include VPNs, sensitive databases, secure mail servers, etc. In general private CAs can be employed in cases where the general public or a wide audience aren’t the target users.