While public-key cryptography solved how to encrypt data securely, it introduced a new problem: authentication. If anyone can generate a public key, how do you know the public key claiming to belong to your bank actually belongs to your bank?
This is solved by Public Key Infrastructure (PKI) and Certificate Authorities (CAs). CAs are trusted third-party organizations that verify the identity of a website owner and digitally sign their public key, issuing a Digital Certificate.
When your browser connects to a secure site, it initiates a TLS handshake. It checks the site's certificate against a pre-installed list of trusted CAs. If the signature is valid, the browser trusts the key, establishes a secure symmetric session key, and the padlock icon appears.
