Imagine you want to call a webservice through SSL in a client application. You want to provide a client certificate to the SSL connection and you have a PFX file with that client certificate plus the CA certificate plus the root certificate. None of those certificates are installed in the system.
So you create an X509Certificate object from that PFX file and add it to the HttpWebClientProtocol.ClientCertificates property, but it won't work. Only if you install all the certificates in the certificate store of i.e. the user's profile (so you don't need an admin user to install them) you will be able to connect to the webservice successfully.
The reason is that the info in ClientCertificates is just used to be able to find the relevant client certificates in the certificate store. So the certificates in the PFX must be installed in the store (user's or machine's profile) first, to be able to find them and use them.
When we use ClientCertificates property, it is enough just by adding an X509Certificate object created from a CER file. That CER file just contains the client certificate without private key, and of course no CA or root certs. And it is enough because the certs in ClientCertificates just identify the client cert that we can find in the store, where the private key and the other CA and root certs can be found (to build the certificate chain to verify trust, for instance).
I hope this helps.
Alex (Alejandro Campos Magencio)