In the same way that a Grandfather can be traced back from the Grandson (and if needed the true legal identity proven using DNA analysis); a web server certificate can be traced back to its Root and by definition this relationship is tested, verifiable and cannot be compromised.
Depending on the type of CA system, the Root certificate used in by certificate Engine to sign the certificates below it can be:
An SSRoot is a Root certificate that is signed by itself or is Self-Signed. This means that the Root certificate was created during the CA system installation and was not signed or cross certified by any other certificate (i.e. this certificate is the certificate at the top of the certificate chain).
In every browser, there is a Trusted Root certificate store so that the important relationship from web server or person back to the TRoot can be checked every time the certificate is accessed.
This TRoot is used to sign all digital certificates below it. Much in the same way there is a natural Grandfather, Father and Son relationship; there is a chained relationship between a TRoot certificate, an Intermediate Root certificate and a Personal, or web server certificate.
Digital certificates signed in this way are part of the Trusted Chain and are said to offer public non-repudiation. Non-repudiation means that the validity of the certificate can be proven and that the recipient has been validated and verified in accordance with internationally recognised standards of practices and procedures for issuing Trusted certificates. This can also mean that they have legal standing in a court of law and therefore can act as a legal instrument or seal for digital transactions.
Only a Trusted Third Party [TTP] that operates a Trust Centre can issue a Trusted certificate because only a TTP has access to the TRoot certificate needed to sign the certificates they issue so that they can be trusted.
Only a certified commercial CA organisation or certified independent organisation can achieve the status necessary to own and operate the TRoot CA in a Trust Centre.
Trust Centres are Commercial CAs and are usually operated by accredited TTP organisations. The TTP is an organisation that has been certified in accordance with international standards as being suitable and capable of issuing digital certificates. To attain the status of being a TTP, the organisation must have at its disposal a secure data centre that conforms to the Web Trust or similar Standards (an internationally recognised authority that certifies TTPs)
This typically includes that the data centre meets the same military standards for the physical facilities, personnel, procedures, practices, security controls and allocations used when storing nuclear missiles and is therefore highly secure. Once the TTP has been certified and its Root certificates accepted by the major browsers, they can issue Trusted certificates.