What does it mean for a digital certificate to be signed?
Digital signatures are created using a private key. A certificate contains a corresponding public key that can be used to verify that the signature is valid.
It means that "someone" has looked at the generated certificate and decided that it's correct and legitimate. Basically, "someone who knows the private key has verified that this data is as it must be" and the certificate says, in essence, that the signature was made (by server XYZ) and therefore means that (server XYZ) knows the private key that corresponds to the public key in this certificate. Someone" uses his signing key to sign the certificate. (This costs money in a carefully garded and secure transaction during which the signer, the certificate authority, is entrusted with the public key.)
When "someone else" gets the certificate, he can see who signed it. If the signer is trusted, then "someone else" will (presumably) trust it as well.
The signing depends on what kind of certificate is issued. A digital certificate consists of three parts:
* A signature is done by computing the hash of the certificate, encrypting it using the signer's private (signing) key, then adding the result to the (list of) digital signatures.
Certificates only prove identity; they perform no other useful function (i.e.: like being used to encrypt or hash something). In a typical SSL certificate, for instance, the information in the certificate is a binding between a public key and a common name. When you point your browser at https://www.amazon.com, Amazon's server will send you a certificate. This certificate binds a particular public key to the name "www.amazon.com" and your browser can confirm by three things that it's talking to the real Amazon:
Here's an illustration I largely plagerized from a Wikipedia article. The narrative is
In step 2 of the example above, how does DigiCert trust that Acme Corp's request is honorable? How does DigiCert know that there's not some bogus person claiming to work for Acme Corp asking for a certificate that he will then use to subvert transactions from unsuspecting customers?
Each certificate authority is different and each uses many ways of doing this, but here are some of the methods employed. There are many other (in fact, what are known as the Ten Blessed Methods), but these give a good idea.