Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/70/405bbd-5913-4e95-8e75-fe0659176a56/1/ks7OXGgzQ7_BQHZH18-xSqxib7Q.roa
File:                     ks7OXGgzQ7_BQHZH18-xSqxib7Q.roa (raw, json)
Hash identifier:          Tsj/KScI2FOapo85DDam/iHEkHxbrSiPypiswSrDBVk=
Subject key identifier:   92:CE:CE:5C:68:33:43:BF:C1:40:76:47:D7:CF:B1:4A:AC:62:6F:B4
Certificate issuer:       /CN=2ac3daa1b14850f2e61c592b2191915a5e65a478
Certificate serial:       01840D8517BCC513E724415EF9FF80CDFF59
Authority key identifier: 2A:C3:DA:A1:B1:48:50:F2:E6:1C:59:2B:21:91:91:5A:5E:65:A4:78
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/KsPaobFIUPLmHFkrIZGRWl5lpHg.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/70/405bbd-5913-4e95-8e75-fe0659176a56/1/ks7OXGgzQ7_BQHZH18-xSqxib7Q.roa
Signing time:             Tue 25 Oct 2022 05:02:16 +0000
ROA not before:           Tue 25 Oct 2022 05:02:16 +0000
ROA not after:            Sat 01 Jul 2023 00:00:00 +0000
asID:                     31732
IP address blocks:        194.127.98.0/23 maxlen: 23
                          5.34.208.0/20 maxlen: 24
                          185.220.236.0/22 maxlen: 24
                          188.209.155.0/24 maxlen: 24
                          185.215.244.0/23 maxlen: 24
                          185.234.144.0/22 maxlen: 24
                          213.173.32.0/22 maxlen: 24
                          185.129.108.0/22 maxlen: 24
                          188.214.236.0/22 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:84:0d:85:17:bc:c5:13:e7:24:41:5e:f9:ff:80:cd:ff:59
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=2ac3daa1b14850f2e61c592b2191915a5e65a478
        Validity
            Not Before: Oct 25 05:02:16 2022 GMT
            Not After : Jul  1 00:00:00 2023 GMT
        Subject: CN=92cece5c683343bfc1407647d7cfb14aac626fb4
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ad:9b:94:67:cd:4e:8e:5b:f3:d4:8e:13:88:68:
                    ed:bb:14:5b:32:23:a0:89:89:ee:00:9a:bc:c6:74:
                    e7:08:9c:39:7a:e4:f9:59:b4:63:78:be:82:1b:28:
                    db:7f:62:57:32:62:68:14:b0:e2:a6:f1:2a:2a:38:
                    e1:fc:e7:d0:2e:a8:ce:a5:fa:38:20:cc:5c:51:b1:
                    57:16:4e:f5:1b:37:ec:a1:0d:0e:77:b0:8c:5f:98:
                    a3:a7:4d:0f:98:99:9b:bf:ff:5d:ef:c5:dd:91:34:
                    f8:73:55:00:99:17:76:ce:08:7e:29:a8:e3:34:77:
                    16:5e:8d:26:45:f7:97:fa:7d:08:ea:73:a6:11:3b:
                    86:ac:ef:e9:e3:f2:1b:d8:d8:83:a8:ae:c4:b6:be:
                    ed:48:a6:15:09:b1:5f:67:82:4a:81:ad:92:3d:39:
                    90:35:51:b8:46:26:8a:c8:c9:73:42:4c:95:7b:51:
                    60:99:38:d0:85:4e:53:90:f1:3c:92:35:c0:29:57:
                    4f:35:45:cb:2e:ad:c1:37:33:13:cf:aa:c1:13:0f:
                    1e:03:b1:00:1f:25:b6:ec:f7:47:b0:0b:c7:47:26:
                    41:41:59:ff:68:cb:96:24:2a:78:b9:35:e0:fd:67:
                    cd:72:3a:71:ca:98:f8:06:78:a5:d6:d4:db:38:6a:
                    da:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                92:CE:CE:5C:68:33:43:BF:C1:40:76:47:D7:CF:B1:4A:AC:62:6F:B4
            X509v3 Authority Key Identifier:
                keyid:2A:C3:DA:A1:B1:48:50:F2:E6:1C:59:2B:21:91:91:5A:5E:65:A4:78

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/KsPaobFIUPLmHFkrIZGRWl5lpHg.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/70/405bbd-5913-4e95-8e75-fe0659176a56/1/ks7OXGgzQ7_BQHZH18-xSqxib7Q.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/70/405bbd-5913-4e95-8e75-fe0659176a56/1/KsPaobFIUPLmHFkrIZGRWl5lpHg.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  5.34.208.0/20
                  185.129.108.0/22
                  185.215.244.0/23
                  185.220.236.0/22
                  185.234.144.0/22
                  188.209.155.0/24
                  188.214.236.0/22
                  194.127.98.0/23
                  213.173.32.0/22

    Signature Algorithm: sha256WithRSAEncryption
         84:a9:c9:12:53:79:f6:13:58:04:ea:8d:07:21:b8:8d:24:9a:
         6c:bd:91:1a:e0:2b:ee:96:cb:fa:de:56:cd:af:22:ec:56:52:
         ab:cf:98:7d:e6:03:40:62:36:26:e4:d7:86:b6:3a:2a:a3:71:
         40:40:ce:e7:06:ac:82:ed:60:c9:3e:29:ec:87:f2:f9:a3:3d:
         ab:a5:1c:e8:45:76:63:0f:c8:48:91:df:86:d8:fd:b6:9e:6d:
         e5:74:c3:92:e6:93:b7:b4:3c:9b:f9:40:ab:fd:e6:b1:a6:5e:
         55:d1:ea:5a:9a:07:f5:c4:b1:e5:08:e7:97:f4:fc:f1:dc:b3:
         aa:71:b9:5c:96:82:01:d1:9c:7a:e7:0c:04:fa:b6:89:13:8e:
         c4:f1:90:69:4a:57:a0:8c:40:73:cf:f6:66:10:c7:b1:18:de:
         7a:ce:19:94:28:c6:07:c6:70:a8:52:eb:4b:8e:13:d2:eb:51:
         4b:f3:ba:38:37:64:ef:46:7b:0a:58:dc:42:02:23:56:06:1f:
         0c:c8:17:ab:6c:2b:3c:66:87:0a:35:70:eb:92:6f:48:d2:2d:
         a2:5b:e7:47:87:1c:e3:37:0e:49:20:41:8d:10:db:2e:78:ad:
         19:9c:80:a2:f7:ad:6d:28:89:0b:6c:a6:14:75:70:0b:0a:28:
         4f:82:27:07
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISAYQNhRe8xRPnJEFe+f+Azf9ZMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKDJhYzNkYWExYjE0ODUwZjJlNjFjNTkyYjIxOTE5MTVhNWU2
NWE0NzgwHhcNMjIxMDI1MDUwMjE2WhcNMjMwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
Eyg5MmNlY2U1YzY4MzM0M2JmYzE0MDc2NDdkN2NmYjE0YWFjNjI2ZmI0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArZuUZ81Ojlvz1I4TiGjtuxRbMiOg
iYnuAJq8xnTnCJw5euT5WbRjeL6CGyjbf2JXMmJoFLDipvEqKjjh/OfQLqjOpfo4
IMxcUbFXFk71GzfsoQ0Od7CMX5ijp00PmJmbv/9d78XdkTT4c1UAmRd2zgh+Kajj
NHcWXo0mRfeX+n0I6nOmETuGrO/p4/Ib2NiDqK7Etr7tSKYVCbFfZ4JKga2SPTmQ
NVG4RiaKyMlzQkyVe1FgmTjQhU5TkPE8kjXAKVdPNUXLLq3BNzMTz6rBEw8eA7EA
HyW27PdHsAvHRyZBQVn/aMuWJCp4uTXg/WfNcjpxypj4Bnil1tTbOGrafwIDAQAB
o4ICOTCCAjUwHQYDVR0OBBYEFJLOzlxoM0O/wUB2R9fPsUqsYm+0MB8GA1UdIwQY
MBaAFCrD2qGxSFDy5hxZKyGRkVpeZaR4MA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvS3NQYW9iRklVUExtSEZrcklaR1JXbDVscEhnLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC83MC80MDViYmQtNTkxMy00ZTk1LThlNzUt
ZmUwNjU5MTc2YTU2LzEva3M3T1hHZ3pRN19CUUhaSDE4LXhTcXhpYjdRLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC83MC80MDViYmQtNTkxMy00ZTk1LThlNzUtZmUwNjU5MTc2YTU2
LzEvS3NQYW9iRklVUExtSEZrcklaR1JXbDVscEhnLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CME8GCCsGAQUFBwEHAQH/BEAwPjA8BAIAATA2AwQEBSLQAwQC
uYFsAwQBudf0AwQCudzsAwQCueqQAwQAvNGbAwQCvNbsAwQBwn9iAwQC1a0gMA0G
CSqGSIb3DQEBCwUAA4IBAQCEqckSU3n2E1gE6o0HIbiNJJpsvZEa4Cvulsv63lbN
ryLsVlKrz5h95gNAYjYm5NeGtjoqo3FAQM7nBqyC7WDJPinsh/L5oz2rpRzoRXZj
D8hIkd+G2P22nm3ldMOS5pO3tDyb+UCr/eaxpl5V0epamgf1xLHlCOeX9Pzx3LOq
cblcloIB0Zx65wwE+raJE47E8ZBpSlegjEBzz/ZmEMexGN56zhmUKMYHxnCoUutL
jhPS61FL87o4N2TvRnsKWNxCAiNWBh8MyBerbCs8ZocKNXDrkm9I0i2iW+dHhxzj
Nw5JIEGNENsueK0ZnICi961tKIkLbKYUdXALCihPgicH
-----END CERTIFICATE-----