I have added this issue to the tracker:
Issue 2212 – Updates check fail because winscp.net certificate cannot be validated
You can vote for it there.

The 800B0109 error was caused by an intermediate cert not pushed to the cert store (though it was to browsers).
Getting 80092012 now, which appears to be a CRL issue.
The end cert does not contain CRL or OSCP info at all. Chrome/Firefox/Edge do not complain.

peperud wrote:

Does WinSCP not use the Windows Certificate Store and keeps its own list of trusted root certs?

Sure, it does.
WinSCP calls CertVerifyCertificateChainPolicy.
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy

WinSCP version: 5.13.3
OS:
1. Windows 10 Version 1803 (OS Build 17134.137)
2. Windows Server 2016 Version 1607 (OS Build 14393.2339)
Error message:

Certificate not trusted.
Error: 800B0109, Chain index: 0, Element index: -1
Server certificate verification failed: issuer is not trusted

---

Both machines are behind a corporate proxy. The proxy terminates SSL to inspect traffic and issues on the fly a local cert for the machine to proxy connection. The issuer's root cert is pushed by policy to the machines and all other programs have no issue.

Does WinSCP not use the Windows Certificate Store and keeps its own list of trusted root certs?
Or perhaps has a hardcoded check for a particulate certificate it expects to receive?