Technical Advisor posted a comment on ticket #1

In BACnet/SC, only the signing certificate should be used for validation, not the complete chain. Clause AB.7.4 says "Validate that the peer's operational certificate is directly signed by one of the locally configured CA certificates" and "no additional checks beyond the above shall be performed by default" which means that there is no validation of the "locally configured CA certificates" themselves. The fact that they have been configured into the device is akin to the collection of root certs...