the SSL certificate is sent by the webserver to you, which is valid only for each connection you make to the webserver (as it is part of the encryption).
You (or your browser) check the legitimacy of that certificate by checking that some trusting agent has signed that certificate.

An attacker could have sent his own (false) SSL certificate, but then it won’t be signed by some trusting agent. Unless the attacker has also compromised the trusting agent, in which case your browser (and everyone else in the world) should ignore the signatures from that agency.

As to the signing and how it’s done- when you buy a cert from a CA, they ask you to prove that you own the domain that it covers (just talking about HTTPS certs here). Generally you make a special change to the website hosted on that domain, or else receive a code at the postmaster address listed in the whois record.

However…

You can buy an “Extended validation” cert from a CA (Symantec, Geotrust, Digicert, etc) and they will verify business records, talk to human contacts, use letters from attorneys and so on, before signing. These cost more and are generally valid for longer.

I once had to work on cert validation for an entity that had 30+ international domain names on their cert and the CA had to find a human contact that owned the domain in each of those countries; it took almost six months to complete. What international security powerhouse required this insane level of work for their website? Mary Kay Cosmetics (I checked just now, they’re not like that any more).