- As a browser, by using a default OS and watching the root CA store. You can control the key stores on most devices except iOS pretty easily: https://certsimple.com/blog/control-the-ssl-cas-your-browser...
- As a server, setting up key pinning (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) which throws up a browser warning if someone accesses your site with a new key.