1. You have to be able to uniquely identify your computer. Usually the CPUID can be enabled in BIOS and that can be used on one of the CPU's.
2. A "key" is generated encoded with a loong secret key is generated and kept on your computer which is merged with another looong seceret key that is kept by the Trusted Security keys company.
3. This "key" from step 2 is then used to produce a certificate, which is just a nice way of storing the merged key and the details of who makes up the key. One certificate per computer. The cxertificate is encrypted using the key on the computer, not the merged key.
4. Now, if another piece of software wants to make sure that he is communicating with that specific computer, that piece of software asks the computer for it's certificate, which the computer readily supplies, but it first unencrypts the certificate using it's local key, the software then examines the certificate, and detemrines who the "trusted" publisher was, and asks the publisher to verify the certificate. This the publisher does, using it's key.
5. Now that the software can "trust" the computer that it is talking to, it uses a part of the certificate as the key to encrypt all transmissions that it sends to the "trusted" computer.
6. The encryption used is called SSL, or Secure Sockets Layer.
Exactly how the certificates are formed and verified varies from trusted provider to trusted provider, but what is definite is that the computer must prove that it is the computer mentioned in the certificate.
That is what the whole trusted certificates is all about.
Edit : Also, the trusted security company is literally split into secure sections, where one employee is not allowed to know what another employee knows, and the trusted company has very strict procedures in place that are monitored to ensure that no employee will ever have enough information to generate a trusted key.
. 
