I have the following code that attempts to verify a server certificate against the CA in my private PKI. Its used with ServicePointManager and RemoteCertificateValidationCallback:

static bool VerifyServerCertificate(object sender, X509Certificate certificate,
    X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    X509Certificate2 ca = new X509Certificate2();
    ca.Import("ca-rsa-cert.der");

    X509Chain chain2 = new X509Chain();
    chain2.ChainPolicy.ExtraStore.Add(ca);

    // Check all properties
    chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

    // This setup does not have revocation information
    chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

    chain2.Build(new X509Certificate2(certificate));
    if (chain2.ChainStatus.Length == 0)
    {
        return true;
    }

    bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
    Debug.Assert(result == true);

    return result;
}

The problem is that chain2.ChainStatus.Length is always 0.

If I set X509RevocationMode to X509RevocationMode.Online, then ChainStatus.Length == 1 and the status is set to X509ChainStatusFlags.RevocationStatusUnknown. (Its expected because there's no revocation in the test rig).

Question: What does a 0 length ChainStatus.Length mean?

Question: If its success, then why is X509ChainStatusFlags.NoError not used?