There doesn't need to be a central CA, you just need to establish trust with the DRM vendor. The GPU vendors coordinate with Microsoft to make Playready work, Android devices have certs that can be validated by Google for Widevine, Apple just does their own thing.