Hi MIkeRob
You are right. There are two ways of going about this.
A) Create your own internal CA and add it’s intermediate to all the machines in your corporate network (this is quite common for example internal intranets). This is quite common in Windows Server environments.
B) CAs like GloablSign will provide an enterprise PKI capability (i.e. the ability to sign it’s own certificates which are then linked up to GlobalSign).
C) You can use Boulder as your CA (this is what LetsEncrypt uses) and the certificate from B to get the best of both worlds. I.e. an Internal CA which adheres to ACME protocol. Microsoft CA relies on Microsoft Services for certificates etc.
https://www.globalsign.com/en/certificate-authority-root-signing/