You get (or rather, you buy) an official certificate from a trusted third party, for example a company like
Verisign. Verisign tells the client "This is Mark Henryson's certificate and we guarantee you that it is an official certificate that has not been tampered with".
You can also generate your own certificate with the tools in the JDK, but ofcourse that's not very useful for for real purposes, because the client has no reason to believe your cerificate is trustworthy if you generate it yourself.
[ October 31, 2006: Message edited by: Jesper Young ]