Can you explain data-at-rest v. data-in-transit?

Can the certificate also be faked? How do browsers identify that it is valid? 

can we go over question 3. the wording of the answer choices is confusing.