When trying to connect with a client, it looks like there is a missing certificate in the demo certs.
For example, the cert chain for TestHub indicates it is signed by "Bar Signing CA"; which is further signed by "Bar Root CA". "Bar Root CA" is available in config/TestSigningCertificate.pem; however the Signing CA is not checked in so only partial chain verification is possible.
I can generate new certificates but would it be possible to add the intermedate certificate? Also the, TestHub server could then provide it (right now openssl s_client -showcerts only shows the end cert, not the intermediate one).
In BACnet/SC, only the signing certificate should be used for validation, not the complete chain.
Clause AB.7.4 says "Validate that the peer's operational certificate is directly signed by one of the locally configured CA certificates" and "no additional checks beyond the above shall be performed by default" which means that there is no validation of the "locally configured CA certificates" themselves.
The fact that they have been configured into the device is akin to the collection of root certs that have been configured into your browser. The fact that the BACnet certs might not be roots themselves is not important. Therefore, there is no reason to follow a chain back to a trusted cert because the first level is the trusted level.