When a website uses HTTPS they have a certificate that proves who they are. Your device uses that certificate to encrypt your data so that only that service can decrypt it. The issue is that it’s just a file and anyone can make one. So to determine whether I trust your certificate I need it to be cryptographically signed by someone I already trust. These are the certificate authorities.

If I was a certificate authority that your device trusts then I could create a certificate for any domain and your device would believe me. Meaning I could sit between you and any web service and have you encrypt things with my certiiicate in a way that lets me decrypt everything before forwarding it to the service and you would never know.