In a cluster setting where TLS mutual authentication is required, it’s not uncommon to see client certificates signed by either self-signed root CA or private CA.
Review the differences and similarities between the two protocols from an architecture and security perspective.
A quick overview of TLS handshake
To site owners: Just because you’ve enabled HTTPS does not mean it’s sound and secure. TLS v1.0 and v1.1 is unsecure and phasing out.