Commercial browsers such as Netscape or Internet Explorer have knowledge of existing root CA certificates because:
A.
They connect to netscape.com or microsoft.com to download the current list of CA certificates each time the user is on-line.
B.
A number of root CA certificates is already installed in the software. Users can then manually add or remove certificates to this list.
C.
A number of root certificates is already installed in the software. This list cannot be altered, but companies can request
intermediary CA certificates to be signed by one of these root CAs.
D.
There exists a standard that outlines which CA’s can be trusted ; the browser checks the CA certificate against this standard.
E.
During installation of the browser, the install program will download the latest list of trusted root CA certificates from
download.rsa.org and install these with the browser.