During the SSL handshake while establishing mutual trust and authenticity and creating an SSL session.
As to your send question, the standard JSSE trust manager considers a certificate chain trusted if at least one cert in the chain is trusted. It does not have to be the root cert. If you are absolutely sure that you have to establish validity and authenticity of the root cert, you should implement a custom TrustManager and use it instead of the default implementation.