What you should look for is how PKI (Public Key Infrastructure) works. This article from SANS: http://www.sans.org/rr/whitepapers/vpns/764.php should help. Basically, they provide public certificates.

I've added a visual from another SANS paper that doesn't seem available but graphically gives a nice view as to what a CA/RA does. Hope this helps.