A local Certificate Authority (CA) is used to sign certificates specific to an organization. This allows verification of certificates signed by the CA, except for those on the certificate revocation list. An advantage over a third-party CA such as Let's Encrypt is that fewer people can create certificates with the custom local CA--maybe the certificates are used to allow relaying via SMTP, where it would not be good to trust certificates that anyone on the internet can obtain.
The following may be too minimal, though may suffice if you have control over all the systems involved, or can firewall off problematic hosts. A better CA might support such things as Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP).
Other more elaborate certificate authority setups are possible.
Haven't tried these. There are doubtless others. Maybe they might work out for you?
https://github.com/OpenVPN/easy-rsa
https://github.com/kairoaraujo/goca