The SSL/TLS peer notifies the application about the certificates, received from the remote side, via OnCertificateValidate event.
The SSL component passes the application a reference to the certificate. The event is called for every certificate in the chain, received from the remote side. The first passed certificate is the topmost CA certificate, present in the list. The next one is the certificate, issued using the topmost CA certificate, and so on. The last certificate is the end-entity certificate.
The chain always contains at least one certificate. The application can handle the certificates in the following manner:
As you noticed from the above description, the application starts validation only when it receives an end-entity certificate. When the application has this end-entity certificate, it has the whole certificate chain. For more information about certificate validation see the corresponding how-to article.
To report whether the certificate is valid or not valid, set Validate parameter of OnCertificateValidate event to either true or false accordingly.
If the certificate is not valid, SSL/TLS connection is not established.