A digital certificate is a special file that contains information about the identity of a computer, a program, or a web site. Certificates are issued by certificate authorities (CAs), which are trusted companies that guarantee the validity of a certificate.
Certificates provide the means for two entities that are about to communicate to validate each other’s identity. For this to work, each entity must have a certificate issued by a trusted CA, and also the root certificate for the CA that issued the certificate for the other entity.
For example, assume two devices X and Y want to communicate. X has a certificate issued by CA1, and Y has a certificate issued by CA2. When attempting to establish a secure connection, X checks that Y’s certificate is valid by making sure it was signed by a trusted CA. It does this by comparing the signature on Y’s certificate (issued by CA2) against its own copy of the CA2 root certificate. Y validates the certificate for X in the same manner, checking that the CA1 signature on X’s certificate matches Y’s own copy of the CA1 root certificate. So, for this process to be successful, both X and Y must already have the root certificate of the required certificate authority installed. Most web servers come pre-installad with the root certificates for all major trusted CAs.