How can I verify my browser/OS's top level certificate?
In most browsers, you should be able to view the certificate for a site, and follow the chain up to the root certificate. For example, in Firefox for security.stackexchange.com, you can follow the following steps, and see that the root certificate of the chain is DST Root X3.
1) Navigate to security.stackexchange.com, and click the green padlock in the address bar
2) Click the right arrow, next to 'Secure Connection'.
3) Click 'More information'
4) Click 'View Certificate'
5) Click 'Details'
Then, look at the certificate hierarchy. You should see the following chain:
DST Root CA X3
+ Let's Encrypt Authority X3
+ *.stackexchange.com
There are a few different ways:
You can cross check with Common CA DB. Mozilla operates this site, but all of the major Root certificates stores vendors (Mozilla, Microsoft, Google, Cisco, and Apple) contributes data to the common database.
All the major root certificate store maintainers publishes all the root certificate that they have in their root store on their respective websites: Mozilla, Microsoft, Apple, Android
All the public Root CAs publishes all the public root certificates that they manage on their own websites, this is a requirement from CA/B Baseline Requirement which all public CAs that wants to issue certificates for websites have to comply with as part of their inclusion criteria in the root stores. Some examples: DigiCert, Comodo, GlobalSign, Let's Encrypt.
These sites publishes either the list of fingerprints of the certificates, or the root certificates themselves.