dotnet
diff --git a/‎src/Security/Authorization/Policy/src/AuthorizationEndpointConventionBuilderExtensions.cs
Lines changed: 0 additions & 1 deletion b/‎src/Security/Authorization/Policy/src/AuthorizationEndpointConventionBuilderExtensions.cs
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
Lines changed: 8 additions & 1 deletion b/‎src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
Lines changed: 8 additions & 1 deletion
diff --git a/‎src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs
Lines changed: 10 additions & 7 deletions b/‎src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs
Lines changed: 10 additions & 7 deletions
diff --git a/‎src/Servers/Kestrel/Core/src/Internal/Certificates/ICertificateConfigLoader.cs
Lines changed: 1 addition & 1 deletion b/‎src/Servers/Kestrel/Core/src/Internal/Certificates/ICertificateConfigLoader.cs
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
Lines changed: 4 additions & 2 deletions b/‎src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
Lines changed: 4 additions & 3 deletions b/‎src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
Lines changed: 4 additions & 3 deletions
diff --git a/‎src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Lines changed: 1 addition & 1 deletion b/‎src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Servers/Kestrel/Core/src/PublicAPI.Unshipped.txt
Lines changed: 2 additions & 0 deletions b/‎src/Servers/Kestrel/Core/src/PublicAPI.Unshipped.txt
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs
Lines changed: 72 additions & 7 deletions b/‎src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs
Lines changed: 72 additions & 7 deletions
diff --git a/‎src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
Lines changed: 3 additions & 5 deletions b/‎src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
Lines changed: 3 additions & 5 deletions
@@ -168,5 +168,4 @@ private static void RequireAuthorizationCore<TBuilder>(TBuilder builder, IEnumer
             }
         });
     }
-
 }
@@ -29,14 +29,21 @@ public HttpsConnectionAdapterOptions()
 
     /// <summary>
     /// <para>
-    /// Specifies the server certificate used to authenticate HTTPS connections. This is ignored if ServerCertificateSelector is set.
+    /// Specifies the server certificate information presented when an https connection is initiated. This is ignored if ServerCertificateSelector is set.
     /// </para>
     /// <para>
     /// If the server certificate has an Extended Key Usage extension, the usages must include Server Authentication (OID 1.3.6.1.5.5.7.3.1).
     /// </para>
     /// </summary>
     public X509Certificate2? ServerCertificate { get; set; }
 
+    /// <summary>
+    /// <para>
+    /// Specifies the full server certificate chain presented when an https connection is initiated
+    /// </para>
+    /// </summary>
+    public X509Certificate2Collection? ServerCertificateChain { get; set; }
+
     /// <summary>
     /// <para>
     /// A callback that will be invoked to dynamically select a server certificate. This is higher priority than ServerCertificate.
 
@@ -23,11 +23,11 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel
 
     public bool IsTestMock => false;
 
-    public X509Certificate2? LoadCertificate(CertificateConfig? certInfo, string endpointName)
+    public (X509Certificate2?, X509Certificate2Collection?) LoadCertificate(CertificateConfig? certInfo, string endpointName)
     {
         if (certInfo is null)
         {
-            return null;
+            return (null, null);
         }
 
         if (certInfo.IsFileCert && certInfo.IsStoreCert)
@@ -37,6 +37,9 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel
         else if (certInfo.IsFileCert)
         {
             var certificatePath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path!);
+            var fullChain = new X509Certificate2Collection();
+            fullChain.ImportFromPemFile(certificatePath);
+
             if (certInfo.KeyPath != null)
             {
                 var certificateKeyPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.KeyPath);
@@ -55,10 +58,10 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel
                 {
                     if (OperatingSystem.IsWindows())
                     {
-                        return PersistKey(certificate);
+                        return (PersistKey(certificate), fullChain);
                     }
 
-                    return certificate;
+                    return (certificate, fullChain);
                 }
                 else
                 {
@@ -68,14 +71,14 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel
                 throw new InvalidOperationException(CoreStrings.InvalidPemKey);
             }
 
-            return new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path!), certInfo.Password);
+            return (new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path!), certInfo.Password), fullChain);
         }
         else if (certInfo.IsStoreCert)
         {
-            return LoadFromStoreCert(certInfo);
+            return (LoadFromStoreCert(certInfo), null);
         }
 
-        return null;
+        return (null, null);
     }
 
     private static X509Certificate2 PersistKey(X509Certificate2 fullCertificate)
 
@@ -9,5 +9,5 @@ internal interface ICertificateConfigLoader
 {
     bool IsTestMock { get; }
 
-    X509Certificate2? LoadCertificate(CertificateConfig? certInfo, string endpointName);
+    (X509Certificate2?, X509Certificate2Collection?) LoadCertificate(CertificateConfig? certInfo, string endpointName);
 }
@@ -43,9 +43,11 @@ public SniOptionsSelector(
 
         foreach (var (name, sniConfig) in sniDictionary)
         {
+            var (serverCert, fullChain) = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}");
             var sslOptions = new SslServerAuthenticationOptions
             {
-                ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),
+
+                ServerCertificate = serverCert,
                 EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,
                 CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
             };
@@ -68,7 +70,7 @@ public SniOptionsSelector(
             {
                 // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
                 // made to the server
-                sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
+                sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: fullChain);
             }
 
             if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
 
@@ -353,8 +353,9 @@ public void Load()
                 }
 
                 // A cert specified directly on the endpoint overrides any defaults.
-                httpsOptions.ServerCertificate = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name)
-                    ?? httpsOptions.ServerCertificate;
+                var (serverCert, fullChain) = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name);
+                httpsOptions.ServerCertificate = serverCert ?? httpsOptions.ServerCertificate;
+                httpsOptions.ServerCertificateChain = fullChain ?? httpsOptions.ServerCertificateChain;
 
                 if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
                 {
@@ -423,7 +424,7 @@ private void LoadDefaultCert()
     {
         if (ConfigurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
         {
-            var defaultCert = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
+            var (defaultCert, _ /* cert chain */) = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
             if (defaultCert != null)
             {
                 DefaultCertificateConfig = defaultCertConfig;
 
@@ -103,7 +103,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
 
             // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
             // made to the server
-            _serverCertificateContext = SslStreamCertificateContext.Create(certificate, additionalCertificates: null);
+            _serverCertificateContext = SslStreamCertificateContext.Create(certificate, additionalCertificates: options.ServerCertificateChain);
         }
 
         var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?
 
@@ -1 +1,3 @@
 #nullable enable
+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateChain.get -> System.Security.Cryptography.X509Certificates.X509Certificate2Collection?
+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateChain.set -> void
@@ -1,10 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
 using System.IO.Pipelines;
-using System.Linq;
 using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
@@ -17,7 +14,6 @@
 using Microsoft.AspNetCore.Testing;
 using Microsoft.Extensions.Logging;
 using Moq;
-using Xunit;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Tests;
 
@@ -186,6 +182,70 @@ public void ServerNameMatchingIsCaseInsensitive()
         Assert.Equal("WildcardPrefix", pathDictionary[aSubdomainOptions.ServerCertificate]);
     }
 
+    [Fact]
+    public void FullChainCertsCanBeLoaded()
+    {
+        var sniDictionary = new Dictionary<string, SniConfig>
+            {
+                {
+                    "Www.Example.Org",
+                    new SniConfig
+                    {
+                        Certificate = new CertificateConfig
+                        {
+                            Path = "Exact"
+                        }
+                    }
+                },
+                {
+                    "*.Example.Org",
+                    new SniConfig
+                    {
+                        Certificate = new CertificateConfig
+                        {
+                            Path = "WildcardPrefix"
+                        }
+                    }
+                }
+            };
+
+        var mockCertificateConfigLoader = new MockCertificateConfigLoader();
+        var pathDictionary = mockCertificateConfigLoader.CertToPathDictionary;
+        var fullChainDictionary = mockCertificateConfigLoader.CertToFullChain;
+
+        var sniOptionsSelector = new SniOptionsSelector(
+            "TestEndpointName",
+            sniDictionary,
+            mockCertificateConfigLoader,
+            fallbackHttpsOptions: new HttpsConnectionAdapterOptions(),
+            fallbackHttpProtocols: HttpProtocols.Http1AndHttp2,
+            logger: Mock.Of<ILogger<HttpsConnectionMiddleware>>());
+
+        var (wwwSubdomainOptions, _) = sniOptionsSelector.GetOptions(new MockConnectionContext(), "wWw.eXample.oRg");
+        Assert.Equal("Exact", pathDictionary[wwwSubdomainOptions.ServerCertificate]);
+
+        var (baSubdomainOptions, _) = sniOptionsSelector.GetOptions(new MockConnectionContext(), "B.a.eXample.oRg");
+        Assert.Equal("WildcardPrefix", pathDictionary[baSubdomainOptions.ServerCertificate]);
+
+        var (aSubdomainOptions, _) = sniOptionsSelector.GetOptions(new MockConnectionContext(), "A.eXample.oRg");
+        Assert.Equal("WildcardPrefix", pathDictionary[aSubdomainOptions.ServerCertificate]);
+
+        /*
+         * Chain test certs were created using smallstep cli: https://github.com/smallstep/cli
+         * root_ca(pwd: testroot) -> 
+         * intermediate_ca 1(pwd: inter) -> 
+         * intermediate_ca 2(pwd: inter) -> 
+         * leaf.com(pwd: leaf) (bundled)
+         */
+        var fullChain = fullChainDictionary[aSubdomainOptions.ServerCertificate];
+        // Expect intermediate 2 cert and leaf.com
+        Assert.Equal(2, fullChain.Count);
+        Assert.Equal("CN=leaf.com", fullChain[0].Subject);
+        Assert.Equal("CN=Test Intermediate CA 2", fullChain[0].IssuerName.Name);
+        Assert.Equal("CN=Test Intermediate CA 2", fullChain[1].Subject);
+        Assert.Equal("CN=Test Intermediate CA 1", fullChain[1].IssuerName.Name);
+    }
+
     [Fact]
     public void MultipleWildcardPrefixServerNamesOfSameLengthAreAllowed()
     {
@@ -848,19 +908,24 @@ public void CloneSslOptionsClonesAllProperties()
     private class MockCertificateConfigLoader : ICertificateConfigLoader
     {
         public Dictionary<object, string> CertToPathDictionary { get; } = new Dictionary<object, string>(ReferenceEqualityComparer.Instance);
+        public Dictionary<object, X509Certificate2Collection> CertToFullChain { get; } = new Dictionary<object, X509Certificate2Collection>(ReferenceEqualityComparer.Instance);
 
         public bool IsTestMock => true;
 
-        public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
+        public (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName)
         {
             if (certInfo is null)
             {
-                return null;
+                return (null, null);
             }
 
             var cert = TestResources.GetTestCertificate();
             CertToPathDictionary.Add(cert, certInfo.Path);
-            return cert;
+
+            var fullChain = TestResources.GetTestChain();
+            CertToFullChain[cert] = fullChain;
+
+            return (cert, fullChain);
         }
     }
 
 
@@ -1,10 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
 using System.Security.Authentication;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
@@ -16,7 +12,6 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.FileProviders;
 using Microsoft.Extensions.Hosting;
-using Xunit;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Tests;
 
@@ -140,6 +135,7 @@ public void ConfigureDefaultsAppliesToNewConfigureEndpoints()
         serverOptions.ConfigureHttpsDefaults(opt =>
         {
             opt.ServerCertificate = TestResources.GetTestCertificate();
+            opt.ServerCertificateChain = TestResources.GetTestChain();
             opt.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
         });
 
@@ -155,6 +151,8 @@ public void ConfigureDefaultsAppliesToNewConfigureEndpoints()
                 ran1 = true;
                 Assert.True(opt.IsHttps);
                 Assert.NotNull(opt.HttpsOptions.ServerCertificate);
+                Assert.NotNull(opt.HttpsOptions.ServerCertificateChain);
+                Assert.Equal(2, opt.HttpsOptions.ServerCertificateChain.Count);
                 Assert.Equal(ClientCertificateMode.RequireCertificate, opt.HttpsOptions.ClientCertificateMode);
                 Assert.Equal(HttpProtocols.Http1, opt.ListenOptions.Protocols);
             })
Original file line number	Diff line number	Diff line change
`@@ -168,5 +168,4 @@ private static void RequireAuthorizationCore<TBuilder>(TBuilder builder, IEnumer`
`168`	`168`	`}`
`169`	`169`	`});`
`170`	`170`	`}`
`171`		`-`
`172`	`171`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,11 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel`
`23`	`23`
`24`	`24`	`public bool IsTestMock => false;`
`25`	`25`
`26`		`- public X509Certificate2? LoadCertificate(CertificateConfig? certInfo, string endpointName)`
	`26`	`+ public (X509Certificate2?, X509Certificate2Collection?) LoadCertificate(CertificateConfig? certInfo, string endpointName)`
`27`	`27`	`{`
`28`	`28`	`if (certInfo is null)`
`29`	`29`	`{`
`30`		`- return null;`
	`30`	`+ return (null, null);`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`if (certInfo.IsFileCert && certInfo.IsStoreCert)`
`@@ -37,6 +37,9 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel`
`37`	`37`	`else if (certInfo.IsFileCert)`
`38`	`38`	`{`
`39`	`39`	`var certificatePath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path!);`
	`40`	`+ var fullChain = new X509Certificate2Collection();`
	`41`	`+ fullChain.ImportFromPemFile(certificatePath);`
	`42`	`+`
`40`	`43`	`if (certInfo.KeyPath != null)`
`41`	`44`	`{`
`42`	`45`	`var certificateKeyPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.KeyPath);`
`@@ -55,10 +58,10 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel`
`55`	`58`	`{`
`56`	`59`	`if (OperatingSystem.IsWindows())`
`57`	`60`	`{`
`58`		`- return PersistKey(certificate);`
	`61`	`+ return (PersistKey(certificate), fullChain);`
`59`	`62`	`}`
`60`	`63`
`61`		`- return certificate;`
	`64`	`+ return (certificate, fullChain);`
`62`	`65`	`}`
`63`	`66`	`else`
`64`	`67`	`{`
`@@ -68,14 +71,14 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel`
`68`	`71`	`throw new InvalidOperationException(CoreStrings.InvalidPemKey);`
`69`	`72`	`}`
`70`	`73`
`71`		`- return new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path!), certInfo.Password);`
	`74`	`+ return (new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path!), certInfo.Password), fullChain);`
`72`	`75`	`}`
`73`	`76`	`else if (certInfo.IsStoreCert)`
`74`	`77`	`{`
`75`		`- return LoadFromStoreCert(certInfo);`
	`78`	`+ return (LoadFromStoreCert(certInfo), null);`
`76`	`79`	`}`
`77`	`80`
`78`		`- return null;`
	`81`	`+ return (null, null);`
`79`	`82`	`}`
`80`	`83`
`81`	`84`	`private static X509Certificate2 PersistKey(X509Certificate2 fullCertificate)`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,5 @@ internal interface ICertificateConfigLoader`
`9`	`9`	`{`
`10`	`10`	`bool IsTestMock { get; }`
`11`	`11`
`12`		`- X509Certificate2? LoadCertificate(CertificateConfig? certInfo, string endpointName);`
	`12`	`+ (X509Certificate2?, X509Certificate2Collection?) LoadCertificate(CertificateConfig? certInfo, string endpointName);`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,9 +43,11 @@ public SniOptionsSelector(`
`43`	`43`
`44`	`44`	`foreach (var (name, sniConfig) in sniDictionary)`
`45`	`45`	`{`
	`46`	`+ var (serverCert, fullChain) = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}");`
`46`	`47`	`var sslOptions = new SslServerAuthenticationOptions`
`47`	`48`	`{`
`48`		`- ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),`
	`49`	`+`
	`50`	`+ ServerCertificate = serverCert,`
`49`	`51`	`EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,`
`50`	`52`	`CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,`
`51`	`53`	`};`
`@@ -68,7 +70,7 @@ public SniOptionsSelector(`
`68`	`70`	`{`
`69`	`71`	`// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are`
`70`	`72`	`// made to the server`
`71`		`- sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);`
	`73`	`+ sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: fullChain);`
`72`	`74`	`}`
`73`	`75`
`74`	`76`	`if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)`
Original file line number	Diff line number	Diff line change
`@@ -353,8 +353,9 @@ public void Load()`
`353`	`353`	`}`
`354`	`354`
`355`	`355`	`// A cert specified directly on the endpoint overrides any defaults.`
`356`		`- httpsOptions.ServerCertificate = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name)`
`357`		`- ?? httpsOptions.ServerCertificate;`
	`356`	`+ var (serverCert, fullChain) = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name);`
	`357`	`+ httpsOptions.ServerCertificate = serverCert ?? httpsOptions.ServerCertificate;`
	`358`	`+ httpsOptions.ServerCertificateChain = fullChain ?? httpsOptions.ServerCertificateChain;`
`358`	`359`
`359`	`360`	`if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)`
`360`	`361`	`{`
`@@ -423,7 +424,7 @@ private void LoadDefaultCert()`
`423`	`424`	`{`
`424`	`425`	`if (ConfigurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))`
`425`	`426`	`{`
`426`		`- var defaultCert = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");`
	`427`	`+ var (defaultCert, _ /* cert chain */) = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");`
`427`	`428`	`if (defaultCert != null)`
`428`	`429`	`{`
`429`	`430`	`DefaultCertificateConfig = defaultCertConfig;`
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter`
`103`	`103`
`104`	`104`	`// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are`
`105`	`105`	`// made to the server`
`106`		`- _serverCertificateContext = SslStreamCertificateContext.Create(certificate, additionalCertificates: null);`
	`106`	`+ _serverCertificateContext = SslStreamCertificateContext.Create(certificate, additionalCertificates: options.ServerCertificateChain);`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`#nullable enable`
	`2`	`+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateChain.get -> System.Security.Cryptography.X509Certificates.X509Certificate2Collection?`
	`3`	`+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.ServerCertificateChain.set -> void`