@Stephen-Rodriguez great question and I hope others will add commentary to this as well. When using certificates for your organization, you are right in the fact that a web server will use a certificate to validate the server, distribute a public key and establish trust.
These certificates are provided by public trusted certificate authorities for a fee and are typically trusted by the web clients across the Internet.
However, if your organization wants to support certificate-based authentication for users, network devices, workstations or servers you can bring up an Active Directory Certificate Services (ADCS) server and issue certificates. This is typically done in a tiered public key infrastructure (PKI) implementation with a root CA that issues a certificate to a subordinate CA. The root CA will be protected by taking it offline an allowing the subordinate CA to issue the certificates to users, computers, network devices (through the NDES service) and servers.
These entities will not (by default) trust the certificate that is being presented unless the root CA certificate is imported into the device that is validating the certificate. For this the certificate that is issued to the, let's say user or device, must go through a validation process by checking the subordinate CA's certificate and then checking the validity of the root CA certificate. This is why you might bring up a private CA (root for the first one), issue a certificate to a subordinate CA and let the subordinate be the "issuing CA".
The root CA certificate must be installed on the devices before any certificates in the chain are trusted. A single public certificate can be expensive and to scale this to enterprise levels, a company can create their own internal/private CA to issue certificates to the company devices and manage the internal PKI.
As you see above this is a public CA with a root CA and the issuing CA. For companies to deploy an internal or private PKI, there is no difference, except for the fact that the company's certificates are only trusted by the company and nobody on the internet.
Knowledge is a road to be traveled upon, not a destination to be reached~~