How to check with openssl what is the download URL to the Intermediate and Root CA Certificates on provider site?
I mean, if the site cert comes from Rapidssl, how to find the path to CA using openssl which are to download on: RapidSSL Intermediate and Root CA Certificates | RapidSSL
This cannot be guaranteed to be possible.
From the intermediate certificate, you can always find the identity of the issuer, and optionally the authority key identifier (basically the serial number of the higher CA certificate) and/or the authority information access extension which may or may not contain the URL pointing to the root certificate.
Likewise, the site certificate will always contain the identity of the intermediate CA (as the issuer), and the optional extensions may include the serial number and URL for the intermediate CA certificate, but this is not strictly guaranteed.
You can get all the "interesting" information from a certificate with this openssl command:
openssl x509 -noout -text -certopt no_pubkey,no_sigdump,no_header,ext_parse -nameopt multiline,show_type -in <certificate filename>
Granted, that is a rather long and complex command, and you might want to make an alias of it. In many cases, a simpler version is useful enough to learn and remember:
openssl x509 -noout -text -in <certificate filename>
The output of this command includes some usually-useless hex dumps, and it might not present new or unknown certificate extensions in a very useful way, but for most purposes it'll be good enough.
Following the chain the other way is even more difficult. Because the root certificate is usually much longer-lived than the intermediate ones, the serial number and/or download URL of the intermediate certificate will not necessarily be known at the time of creation of the root CA certificate.
You should not be trusting the information in the certificates of random sites before you've successfully checked the trust chain of the certificate anyway. The site may, as a convenience feature, provide you the (purported) intermediate CA certificate, but in order to really validate that, the root certificate must already be in your own store of trusted root certificates.
In fact, you're probably a little safer if you are unable to auto-detect the root CA certificate URL of an unknown CA from the site or intermediate certificate: you would have to google for that CA, and if there is/was a forged CA certificate in use by that CA name, you would have a chance to see news articles about it.
You would then have a chance to take a better look at the details of the certificate and the CA itself, and to evaluate whether that CA is trustworthy enough or not. This is essentially the reason why when installing a new root CA certificate, a human should always be in the loop.
