SSLStream should support taking a pre-validated immutable full certificate chain

[davidfowl]

In server scenarios on Linux it's important to support scenarios where the full certificate chain is provided outside of the certificate store (like a PEM file with the full chain). SSlStream should support this so that Kestrel can provide an API for providing the full certificate chain.

As an example, using Lets Encrypt with certbot generates both the SSL cert and a full chain cert. The latter is usually fed into Apache/nginx/haproxy (servers) which avoids the need for any need to retrieve the full chain on demand.

It also works well in container scenarios where the disk cache becomes ephemeral.

See dotnet/aspnetcore#21183 for the latest issue on an example where it was problematic.

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
Notify danmosemsft if you want to be subscribed.

Tagging subscribers to this area: @dotnet/ncl
Notify danmosemsft if you want to be subscribed.

[davidfowl]

This fits in with #31944

[iamcarbon]

We've done our own ACME implementation for a reverse proxy and were also given a lot of grief figuring out how to include the full chain. We finally figured it out but also ran into issues loading 5K+ certificates from memory and moved our front proxy to Caddy.

We'd love to see time invested in making the certificate selection async and ability to load 50K+ certificates with chains into memory (either at startup or lazily during certificate selection).

[mholt]

@iamcarbon I'd like to know more about your deployment. Can I ask details? 😃 (So as not to derail this issue, could I email you? Or vice-versa?)