I got a hint somewhere that applications can't verify the root CA ( only OS can ). I would like to get answers to the following points :
a) Is it true that only OS can verify the root CA?
b) (If yes ) Why can't applications ( specially web browsers ) verify the root CA?
c) (If yes ) Then how can a browser verify an SSL certificate?
A 'root CA' is an organization that we trust. The org has once generated a certificate (a pair of public and private keys). The public key is no different that any other existent public key, except that it cames pre-installed into the OS and we all agree that it is good and trusted.
When we browse a regular HTTPS site, we get a certificate with a public key (for example the certificate for https://www.google.com). Initially we dont trust that certificate, but either the OS or the App can verify that the certificate includes proof that it is signed by the a Root CA that we already know... Or it includes proof that is signed by another trusted certificate (kind of recursive)
This chain verification can't be done in the same way for a Root CA certificate. As it is the Root, no other trusted certificate has signed it, (that is why it is a root). But anyone can verify it, as in checking if it is already installed into the Trusted Root Certificate Store of our OS.
So, that is difference between a root certificate and a regular one.
That being said, either the OS or any app can verify any kind of certificates.