In the WebSphere admin console, at Security > SSL certificate and key management > Key stores and certificates > keystore or truststore, two of the links displayed are Personal certificates and Signer Certificates. What's the difference, you ask? Simply put, the Signer certificate is the certificate authority (CA) certificate that signs a child certificate (aka Personal certificate).
After a clean install of WebSphere, two certificates will be created, root and default. "root" is the Signer certificate and "default" is the Personal certificate. The "default" certificate is signed by the "root" certificate. CellDefaultKeystore > Personal Certificates will show that the "default" certificate is chained to the "root" certificate.
CellDefaultTruststore > Signer Certificates will show that the "root" certificate is trusted.
When a client submits a request to get a resource from your WebSphere application server, the default certificate (and it's private key) will be used for the SSL handshake and to encrypt the packets being exchanged between the client and the server.
When a node server is fedrated into the dmgr, there will be two servers at play, the node server and the dmgr server.
Trust must be established between the dmgr and node servers, so that packets can be exchanged over a secured channel, such as HTTPS. This is where Signer Certificates come into the picture. In this example, the hostname of the dmgr server is dmgr.software.eng.us and the hostname of the node server is was1.software.eng.us. When the was1.software.eng.us node server is federated into the dmgr, two certificates will be added to the NodeDefaultTrustStore Signer certificates, default and root. The default certificate is the dmgr certificate and the root certificate is the node server certificate. These certificates are then used when the dmgr and node server need to communicate over a secured channel.
The default and root certificates are then used when the dmgr and node server need to communicate over a secured channel.
Likewise, if an IHS web server is added to the dmgr, then you would have the root dmgr certificate and the certificate from the IHS web server (was.software.eng.us in this example).
If this sounds like a bunch of mumbo jumbo to you, my article on understanding the difference between a keystore and truststore may be helpful.