The DMK (Database Master Key) is used to encrypt all other objects. When you create  a cert, or restore it, the cert is encrypted by the DMK.

By default when you create the DMK, it is encrypted by both your password and the Service Master Key. When you open a cert (or other object), the SMK decrypts the DMK and then decrypts the object you use. You can break the SMK->DMK protection, which means that each time you wanted to use an encrypted object in the database, you'd have to manually open the DMK and supply the password.