(See comment Samet, explanation was to long for a comment)
Because each system has a certain list of certificates he trusts. The certificate setting is to add additional trusted certificates. If you browse to www.rabobank.nl for example, you don't have to add its certificate to your system, because its signed by VeriSign, which is by default trusted by most systems.
So if something is with a certificate which is signed by someone who's certificate is signed by someone (repeat this X times) who's certificate is trusted by your system, the browser or java will trust the thing. If not, you need to add the certificate to the list of trusted certificates, and its your responsibility.