AD CS is not just a role that we can install on a server and leave it to run. It needs resources to run the role services. It needs knowledge to set up and operate it. It needs to be maintained as any other IT system. It also needs solutions for backup and high availability. All these come with a cost. On the other hand, public CA certificates need to be purchased through a service provider. Each provider has many different types of certificates with different price ranges. It is important to evaluate these associated costs against the company requirements. If its regarding a few web service certificates, there is no point to maintain few servers internally just for that. If a public CA can offer same thing for $15, it makes sense to invest on that rather than wasting resource and money by maintaining an internal CA. However, it's not only the cost we need to evaluate. Internal CA provides greater flexibility administrations. It allows to create templates and policies according to organization requirements. Public CAs are only given limited control. All you can do is pay for the certificate, submit the signing request, and then download the certificate once it's issued. But public CAs do have a reputation. If a user outside the corporate network needs to trust a certificate issued by the internal CA, user needs to trust the issuing CA and the rest of the CAs in the chain. But not everyone would like to do that. But if it's from a reputed CA, it gives confident about the certificate and the content protected by it. When you use public CA, customers can get professional support via vendor whenever required. No need to have advanced knowledge to request and retrieve a digital certificate. On the other hand, internal CA requires advanced knowledge about PKI to deploy, manage, and maintain. Therefore, considering all these pros and cons, we need to decide which CA model is best suited for the origination requirements.