[release/5.0] fix SslStreamCertificateContext.Create with partial certificate chain

[wfurt]

this is port of #46664 to 5.0 branch
Fixes #46654
reported by customer originally in dotnet/aspnetcore#28584

Customer Impact

Kestrel server cannot be started if the machine is somehow missing the cert forming the root of the certificate chain being used.
This is caused by an out of bound array iteration in runtime code.

Regression?

Users who were previously able to start Kestrel no longer can. (Our API is new in 5.0, but Kestrel now uses it.)

Testing

new test case was added for partial certificate chain.

Risk

Low. The fix corrects how we iterate over the array representing the certificate chain so that we don't try to read beyond the array, nor send the wrong certificates.

Details:
With TrimRootCertificate=false, the old logic would incorrectly increase count when chain.Build() return partial chain. That would later cause ArgumentOutOfRangeException when iterating through the chain certificate collection. Further more, the TrimRootCertificate is swapped. If we want to trim root we need to subtract 2 (e.g. root itself and leaf cert) This will cause wrong number of certificates sent on the wire on Unix.

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

this is port of #46664 to 5.0 branch

Customer Impact

Kestrel server cannot be started in certain configurations.
This is caused bu out of bound array iteration in runtime code.

Regression?

not from runtime prospective as this is new 5.0 API.
However, this was adopted by Kestrel and it is causing regression for their users.

Testing

new test case was added for partial certificate chain.

Risk

Low. The fix really is correction for array iteration.

Author:	wfurt
Assignees:	wfurt
Labels:	Servicing-consider, area-System.Net.Security
Milestone:	5.0.x