Subsequent to writing the material below I have learned that some use the term “PKI” to include cases where the private key holder is also the CA. Stuff below is largely about conflicts between the two.

These are the opportunities that an attacker has to defeat the authentication provided by web site certificates.
He must both:

The tool set, knowledge and personal connections of the attacker will determine the attack points. There is thus no one “easiest path” for all attackers.

See a note on public keys and some further rambling.