Their relationship is:

• The client trusts the CA (for example Let's Encrypt)
• The CA issues certificates to websites (often certified by the industry standard ACME Challenge) .
• When a client visits a website, the website presents its certificate. Since the client trusts the CA, it also trusts the certificate issued by the CA.

To adress a privacy key leak by the CA, they often use intermediate certificates. That's the standard x509. The CA:FALSE value on certificates issued to entities means that even if they issue a certificate, it won't be trusted. So only root and intermediate certificates can be trusted to issue other certificates.

To trust a CA, the client store the CA locally.

Two posts follows:

• clients: https://www.pixelstech.net/article/1722050582-All-I-Know-About-Certificates----Clients
• websites: https://www.pixelstech.net/article/1722050937-All-I-Know-About-Certificates----Websites

Next: https://shaarli.lyokolux.space/shaare/hamcqA