Why Maintaining a private CA
For a lot of use-cases, software has become a commodity. You can buy something off the shelf, a bit of configuration, and you're good to go. You find a lot of Open/Free Software even: you don't have to actually buy for solutions to common problems.
But in some cases, you will need something custom. Whether its you or someone in your company, you'll create whatever custom solves your needs.
It could be a local LAN is the proper place where to expose it. In some cases, that can happen over a good VPN, and the broader internet does not even know about it.
That could be a good thing, until you don't have the need to actually expose your software or digital asset of sort to the open internet.
There are many ways to expose resources to the broader internet without allowing access to just everyone. A login system is what you want: the user should be someone who identifies itself and based on that is assigned some role.
Attaching specific capability to a role is a way; this is referred to as a RBAC: Role Based Access Control.
It could be that you need something simpler, if the system you expose has a flat hierarchy, with all users being equal. It could be that your IAM (Identity and Access Management) structure needs to be more flexible and reflect some sort of company hierarchical structure.
This is not the point. Regardless of the login system, you are still exposing your door to the world. Unless this is either a public blog or a social network, that might not be something you really want.
Doubly so if the client is not even a physical user, but some sort of physical device.
There is the option to distribute to the client a certificate that identifies them. In this case, when the server is contacted, it can choose, based on the client certificate, whether access should be granted, and what type of access.
In order to be able to create those certificates, and having the server to recognize them, what you need is a so-called Private CA.
[git] [vpn] [certificate]