A firm can be its own certificate authority for internal users.

The idea being tested is that an organization can run its own certificate authority to issue and manage certificates for internal users and devices. This is a standard practice in enterprise security: a private PKI lets a firm issue certificates for VPN access, Wi‑Fi, email encryption, code signing, and server authentication without relying on public CAs. To make this work, the organization distributes the root certificate of its private CA to all internal clients so they trust certificates issued by that CA. Security best practices include keeping the root CA offline, using a hierarchy with subordinate CAs, protecting private keys, and implementing revocation via CRLs or OCSP. This arrangement gives the organization control over certificate policies, issuance, renewal, and revocation, while reducing reliance on external authorities.