The organization must use certificates signed by valid internal certification authorities when these are for internal applications.
CWE-295: Improper Certificate Validation: The software does not validate, or incorrectly validates, a certificate.
OWASP-ASVS v4.0.1 V9.2 Server Communications Security Requirements.(9.2.1): Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected.