We don't use System.Security.Cryptography.X509Certificates or X509Chain to validate the certificates. We use Win32 API because when we wrote our certificate classes, X509Chain and X509Certificate2 were not available yet.
To construct a certificate chain for validation, we use CertGetCertificateChain function. When the "UseCacheOnly" flag is specified, the following flags are passed to this function:
CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL | CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY
According to the function's documentation, these have the following meaning:
Uses only cached URLs in building a certificate chain. The Internet and intranet are not searched for URL-based objects.
Revocation checking only accesses cached URLs.
So it looks like this is actually what you need!
I don't think it's possible to skip the standard Windows trusted certificate stores when constructing the certificate chain for validation using the CertGetCertificateChain function. It's possible to specify an additional store, but this is used in addition to trusted certificate stores then.
So the second method - check the root certificates manually - is the one to use. You can keep using Rebex classes for this. CertificateChain.BuildFrom method can build a chain corresponding to the specified Certificate and the resulting CertificateChain class has a RootCertificate property to easily access the root CA certificate.