A. There's a chain of trust related to certificates. Most computers have a preconfigured list of trusted Certificate Authorities (CAs), which on Windows you can view using the Certificates MMC snap-in. Look at the Local Computer store under Trusted Root Certification Authorities.
Within an organization, it's common to add the internal CA to the listed of trusted root CAs for the organization's computers, so that all organization-owned computers trust certificates issued by the internal CA. If you want computers outside of your organization to trust the certificates you generate, you'll need to have your internal CA issued a certificate by one of the trusted root CAs, such as as GlobalSign. These certificates aren't typically cheap, however. You have to decide if it's cheaper to buy individual certificates from the external CA for services external to your organization.