Certificates are generated by certification authorities (for example, the free LetsEncrypt), which sign the new certificate with their key. You download and use this certificate. And the whole world trusts this new certificate because it trusts the CA that generated/signed it.

The web server does not generate anything, the path to the key and certificates are written in its config. You can generate a private key and CSR manually using openssl and slip it into certbot or into the control panel of a commercial CA.

I will only add the following to the previous answer: if you need to set up a web server with HTTPS (or make SSL certificates for a mail server, for example), that is, the free Let's Encrypt service, it uses the certbot utility, which is just responsible for generating keys remotely, transferring them to the server and specifying them in the configs. As a result, something like this line appears in the Apache config:

SSLCertificateFile /etc/letsencrypt/live/mysite.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.net/privkey.pem

How does the server generate new certificates for users who visit a particular website

Nothing and nothing. The certificate that the site provides - it was received in advance and configured by the site admin. The server cannot generate anything for anyone - it has a regular client certificate. If you yourself created a certificate for it, which allows you to generate something, no one will believe such a certificate.
Yes, all PKI is about trust :) We certainly trust all root centers, but no one will believe a self-made certificate.