Generated signed X.509 client certificate is invalid (no certificate chain to its CA)

Question

I use Bouncy Castle for generation of X.509 client certificates and sing them using a known CA.

First I read the CA certificate from the certificate store, generate

Answer 1

I figured this out. If you call X509Certificate.Verify(publicKey) you have to pass the CA's public key, not the client's public key from the Pkcs10CertificationRequest.