I have a certificate issued to me from a Sub CA with the following certification path:
Root CA
Sub CA
My Certificate
Why is it that when I try to validate it with X509Chain.Build(), I always need to have the Sub CA in my trusted root certificate authorities folder for it to return true? I have the root CA certificate in there already, so since I trust the root, being a web of trust, should it not also trust the sub CA? Because right now, it says that it could not build the chain to a trusted root certificate authority unless I add the Sub CA certificate to my trusted root certificate authorities.
To elaborate on Erik's comment, trusting the Root CA certificate means that you will trust what the Root CA directly signs.
If you have an intermediate Sub CA in the middle, its certificate is signed by the Root CA, and the Sub CA signs your certificate directly.
Root CA ---signs/verifies---> Sub CA ---signs/verifies---> End user certificate
As Erik said, if you do not have the Sub CA certificate present, then there is no way to link the Root CA to the End user certificate. The Root can verify the Sub CA certificate, and the Sub CA can verify the End user certificate, but there is no way for the Root to skip over the Sub CA and verify the End user certificate because the root did not sign the End user certificate.
2 ways to resolve this are: