The browser is initially set up with a set of trust anchors (the CA certificates it trusts). What these are may depend on the operating system or installation.
One of these trust anchors is GeoTrust Global CA
.
When connecting to www.google.com
, the server sends its certificate chain, *.google.com
and Google Internet Authority G2
.
The browser then verifies that *.google.com
was indeed signed by Google Internet Authority G2
. It then looks for the issuer of Google Internet Authority G2
and tries to match it with the subject of one of the trust anchors it knows (GeoTrust Global CA
). When it has found a match, it also verifies the signature of Google Internet Authority G2
using GeoTrust Global CA
's public key.
There's a bit more to it than that: checking validity in time and various usage attributes.