It appears that Grant Taylor via NANOG <nanog@lists.nanog.org> said:
Consider a web server that is serving up web pages to random people on the Internet completely unaffiliated / unassociated / unknown to the server; e.g. to you and your family. To be able to serve pages over HTTPS to them, a TLS certificate from a public CA that they trust MUST be used.
Now assume, for the sake of discussion, that you have multiple such servers and they want to use mTLS to authenticate their identities to each other. -- Maybe it's for SMTP, or IKE, or VoIP, or....
As someone else noted, in this utterly implausible scenario (nobody uses domain certificates to authorize mail submission, and SMTP doesn't use client certs at all) you would have your private CA sign the certs for your users. You do know that you can have multiple signatures on the same cert, don't you? R"s, John