The latter of which is very common in corporate environments where employee's machines are provisioned by the IT department and contain the company's private CA (which is useful for non-nefarious purposes such as signing certificates for internal services).