[1] Digital Certificates [2] are issued by a Certificate Authority [CA]. Any organisation can opt to operate its own CA and typically the types of organisations that have a CA are either commercial CAs that offers their services to other organisations as an external service, or organisations that purchase the necessary systems for their own use.
The computer system that issues the different types of Digital Certificate does this from the central system core of the CA system and this core is called the Certificate Engine.
Regardless of the type of CA system or how it is operated, the Certificate Engine for the system has at least one Root Certificate. The Certificate Engine core uses the Root Certificate to sign the various types of Digital Certificates the CA issues.
In the same way that a Grandfather can be traced back (and if needed the true legal identity proven using DNA analysis) from the Grandson; a web server Certificate can be traced back to its Root and by definition this relationship is tested, verifiable and cannot be compromised.
Depending on the type of CA system, the Root Certificate used in by Certificate Engine to sign the Certificates below it can be:
An SSRoot is a Root Certificate that is signed by itself or is Self-Signed. This means that the Root Certificate was created during the CA system installation and was not signed or cross certified by any other Certificate (i.e. this Certificate is the Certificate at the top of the Certificate Chain).
In every browser, there is a Trusted Root Certificate Store so that the important relationship from web server or person back to the TRoot can be checked every time the Certificate is accessed.
This TRoot is used to sign all Digital Certificates below it. Much in the same way there is a natural Grandfather, Father and Son relationship; there is a chained relationship between a TRoot Certificate, an Intermediate Root Certificate and a Personal or web server Certificate.
Digital Certificates signed in this way are part of the Trusted Chain and are said to offer public non-repudiation. Non-repudiation means that the validity of the Certificate can be proven and that the recipient has been validated and verified in accordance with internationally recognized standards [3] of practices and procedures for issuing Trusted Certificates. This can also mean that they have legal standing in a court of law and therefore can act as a legal instrument or seal for digital transactions.
Only a Trusted Third Party [TTP] that operates a Trust Centre [4] can issue a Trusted Certificate because only a TTP has access to the TRoot Certificate needed to sign the Certificates they issue so that they can be trusted. The online flash presentation of Digi-CA™ [5] explains the benefits in a simple and easy to understand manner.
Links:
[1] https://www.digi-sign.com/downloads/download.php?id=digi-ca-pdf
[2] https://www.digi-sign.com/en/digital+certificate
[3] https://www.digi-sign.com/compliance/introduction
[4] https://www.digi-sign.com/trust+centre
[5] https://www.digi-sign.com/demos/aacd