ValidatingCertificate even returns the certificate chain as received from the server. These usually lack the root certificate (due to the assumption that the client must already possess it anyway).
If you need to access the root certificate in your
ValidatingCertificate event handler, just rebuild the chain, taking into account the CA certificates trusted by the local OS:
void Event_ValidatingCertificate(object sender, SslCertificateValidationEventArgs e)
CertificateChain chain = CertificateEngine.Default.BuildChain(e.Certificate, e.CertificateChain);
chain will have
RootCertificate populated if the CA certificate is available locally.
Note: An equivalent process is performed during the validation of the root-less chain, which is the reason it validates correctly.