The Netskope client automatically installs the Netskope tenant certificates into the system's certificate store, Firefox and Java. This occurs as part of the initial installation and when configs are pulled down for the tenant. I don't have the intricacies of the exact mechanism as they vary based on the OS. For Windows we place the certificates in the system certificate store and Keychain on Mac. Is there a specific challenge you're looking to address?
As for the second half of the question, your system's certificate store doesn't "know" the certificate is from Netskope. Instead by installing the certificate to the trusted certificate store(s) you're telling the system that these are trusted certificate issuers. I hope this helps but if there's additional questions please don't hesitate to ask.
Sam Shiflett Netskope Solution Architect - North America