Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/89/3a382a-3dda-4796-b320-3fdfb4140f24/1/HIu3JrNUJBVOYYWn5uFr9yV6DQA.roa
File:                     HIu3JrNUJBVOYYWn5uFr9yV6DQA.roa (raw, json)
Hash identifier:          zw/3x0rKCPX1NsOrroSt1yID/foaG1SBqWHICjcAq0I=
Subject key identifier:   1C:8B:B7:26:B3:54:24:15:4E:61:85:A7:E6:E1:6B:F7:25:7A:0D:00
Certificate issuer:       /CN=bf809a7e6ca14d0a1a976673e0319e34e956ed3d
Certificate serial:       018DE9DEC965889549EBDF31F62C8A0B4658
Authority key identifier: BF:80:9A:7E:6C:A1:4D:0A:1A:97:66:73:E0:31:9E:34:E9:56:ED:3D
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/v4CafmyhTQoal2Zz4DGeNOlW7T0.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/89/3a382a-3dda-4796-b320-3fdfb4140f24/1/HIu3JrNUJBVOYYWn5uFr9yV6DQA.roa
Signing time:             Tue 27 Feb 2024 09:21:48 +0000
ROA not before:           Tue 27 Feb 2024 09:21:48 +0000
ROA not after:            Tue 01 Jul 2025 00:00:00 +0000
asID:                     35332
IP address blocks:        37.235.112.0/21 maxlen: 24
                          45.116.184.0/22 maxlen: 24
                          77.242.112.0/20 maxlen: 24
                          87.236.0.0/21 maxlen: 24
                          139.28.200.0/22 maxlen: 24
                          185.113.212.0/22 maxlen: 24
                          185.151.96.0/22 maxlen: 24
                          188.92.56.0/21 maxlen: 24
                          194.5.181.0/24 maxlen: 24
                          208.88.128.0/22 maxlen: 24
                          217.23.149.0/24 maxlen: 24
                          2a00:a000::/32 maxlen: 48

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8d:e9:de:c9:65:88:95:49:eb:df:31:f6:2c:8a:0b:46:58
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=bf809a7e6ca14d0a1a976673e0319e34e956ed3d
        Validity
            Not Before: Feb 27 09:21:48 2024 GMT
            Not After : Jul  1 00:00:00 2025 GMT
        Subject: CN=1c8bb726b35424154e6185a7e6e16bf7257a0d00
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:80:35:9c:cd:82:19:fd:81:44:94:25:9d:46:3e:
                    0d:63:60:72:d7:33:73:86:44:b5:59:77:2b:f8:ab:
                    63:12:8d:4e:ff:ff:54:90:a9:f0:ee:1a:5c:67:e8:
                    a0:ca:a0:e4:1a:e6:ed:6e:34:76:bb:af:44:8d:4d:
                    cd:c9:80:9f:18:88:9a:3a:53:f8:70:5e:1e:d9:05:
                    70:a0:ea:9f:6f:89:bb:65:dd:7e:3c:b4:ba:b7:27:
                    64:d0:5d:40:0f:76:eb:76:6d:67:0e:0b:7d:0b:5e:
                    77:9d:22:0f:4e:43:99:0c:03:79:b3:27:d2:13:86:
                    f4:87:f1:c9:02:3d:c3:04:12:5b:3d:02:91:98:0a:
                    3c:81:a4:c0:d0:aa:b4:ff:74:de:dd:e3:b0:b8:ad:
                    27:c0:56:d9:ea:ba:5b:0d:0f:71:43:83:6a:44:75:
                    85:9c:2a:f3:90:a9:6d:48:b0:8b:1c:70:61:aa:4a:
                    e9:fd:69:d5:3d:22:f9:e3:53:fb:c3:5d:fe:73:29:
                    d3:b7:95:84:b1:d1:35:d8:91:1e:41:58:ba:f6:19:
                    99:31:44:61:db:d9:1e:98:4f:35:a2:e6:11:be:7b:
                    6f:55:77:e0:31:ec:18:b7:ad:8f:51:f1:71:e4:89:
                    aa:19:b0:09:33:3f:33:3f:dc:be:ea:c0:bc:87:30:
                    a5:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1C:8B:B7:26:B3:54:24:15:4E:61:85:A7:E6:E1:6B:F7:25:7A:0D:00
            X509v3 Authority Key Identifier:
                keyid:BF:80:9A:7E:6C:A1:4D:0A:1A:97:66:73:E0:31:9E:34:E9:56:ED:3D

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/v4CafmyhTQoal2Zz4DGeNOlW7T0.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/89/3a382a-3dda-4796-b320-3fdfb4140f24/1/HIu3JrNUJBVOYYWn5uFr9yV6DQA.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/89/3a382a-3dda-4796-b320-3fdfb4140f24/1/v4CafmyhTQoal2Zz4DGeNOlW7T0.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  37.235.112.0/21
                  45.116.184.0/22
                  77.242.112.0/20
                  87.236.0.0/21
                  139.28.200.0/22
                  185.113.212.0/22
                  185.151.96.0/22
                  188.92.56.0/21
                  194.5.181.0/24
                  208.88.128.0/22
                  217.23.149.0/24
                IPv6:
                  2a00:a000::/32

    Signature Algorithm: sha256WithRSAEncryption
         47:a2:03:19:4b:ef:4f:f5:13:00:87:b7:2c:65:af:8c:2b:69:
         c0:5b:7c:16:2a:df:40:d7:12:1f:68:b7:df:f6:b3:64:ae:ca:
         b5:b8:04:6e:70:00:ca:01:f2:ce:78:12:fd:24:07:f3:d8:1b:
         5e:a8:c9:57:51:86:63:cf:20:49:d5:27:4b:e8:0d:46:60:ec:
         97:77:69:c7:04:ff:0f:80:fb:d4:3f:d3:88:e6:2b:1b:3b:fd:
         c1:c8:a5:23:b4:e0:c9:9a:48:8e:b1:54:33:db:6c:76:8b:8d:
         33:eb:4b:a3:ad:82:ae:bd:f7:bc:64:b4:a7:a7:b8:03:34:ff:
         cb:e7:d8:af:58:ad:ae:68:6e:3a:81:e9:c3:10:8c:e8:df:1f:
         27:da:72:04:5a:d0:2c:79:31:99:78:b9:e6:d8:67:45:76:55:
         3e:a1:76:45:ed:c8:73:7d:54:fe:ea:1b:a5:13:54:9c:51:69:
         d4:cf:df:35:be:b5:a7:a6:24:4b:ac:7e:2c:58:77:2e:c8:1d:
         4e:94:0c:da:a1:1d:5a:36:ba:6e:3c:7f:27:47:8c:fd:2d:79:
         e0:f5:06:5e:87:57:dc:50:05:bf:6c:6f:00:96:41:4e:1a:b1:
         9a:2a:7f:58:cb:cc:b4:fa:48:de:d5:36:98:32:fb:d3:c0:8b:
         4e:df:2d:e3
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCgAwIBAgISAY3p3slliJVJ698x9iyKC0ZYMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGJmODA5YTdlNmNhMTRkMGExYTk3NjY3M2UwMzE5ZTM0ZTk1
NmVkM2QwHhcNMjQwMjI3MDkyMTQ4WhcNMjUwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygxYzhiYjcyNmIzNTQyNDE1NGU2MTg1YTdlNmUxNmJmNzI1N2EwZDAwMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgDWczYIZ/YFElCWdRj4NY2By1zNz
hkS1WXcr+KtjEo1O//9UkKnw7hpcZ+igyqDkGubtbjR2u69EjU3NyYCfGIiaOlP4
cF4e2QVwoOqfb4m7Zd1+PLS6tydk0F1AD3brdm1nDgt9C153nSIPTkOZDAN5syfS
E4b0h/HJAj3DBBJbPQKRmAo8gaTA0Kq0/3Te3eOwuK0nwFbZ6rpbDQ9xQ4NqRHWF
nCrzkKltSLCLHHBhqkrp/WnVPSL541P7w13+cynTt5WEsdE12JEeQVi69hmZMURh
29kemE81ouYRvntvVXfgMewYt62PUfFx5ImqGbAJMz8zP9y+6sC8hzClcQIDAQAB
o4ICVDCCAlAwHQYDVR0OBBYEFByLtyazVCQVTmGFp+bha/cleg0AMB8GA1UdIwQY
MBaAFL+Amn5soU0KGpdmc+AxnjTpVu09MA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvdjRDYWZteWhUUW9hbDJaejRER2VOT2xXN1QwLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC84OS8zYTM4MmEtM2RkYS00Nzk2LWIzMjAt
M2ZkZmI0MTQwZjI0LzEvSEl1M0pyTlVKQlZPWVlXbjV1RnI5eVY2RFFBLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC84OS8zYTM4MmEtM2RkYS00Nzk2LWIzMjAtM2ZkZmI0MTQwZjI0
LzEvdjRDYWZteWhUUW9hbDJaejRER2VOT2xXN1QwLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMGoGCCsGAQUFBwEHAQH/BFswWTBIBAIAATBCAwQDJetwAwQC
LXS4AwQETfJwAwQDV+wAAwQCixzIAwQCuXHUAwQCuZdgAwQDvFw4AwQAwgW1AwQC
0FiAAwQA2ReVMA0EAgACMAcDBQAqAKAAMA0GCSqGSIb3DQEBCwUAA4IBAQBHogMZ
S+9P9RMAh7csZa+MK2nAW3wWKt9A1xIfaLff9rNkrsq1uARucADKAfLOeBL9JAfz
2BteqMlXUYZjzyBJ1SdL6A1GYOyXd2nHBP8PgPvUP9OI5isbO/3ByKUjtODJmkiO
sVQz22x2i40z60ujrYKuvfe8ZLSnp7gDNP/L59ivWK2uaG46genDEIzo3x8n2nIE
WtAseTGZeLnm2GdFdlU+oXZF7chzfVT+6hulE1ScUWnUz981vrWnpiRLrH4sWHcu
yB1OlAzaoR1aNrpuPH8nR4z9LXng9QZeh1fcUAW/bG8AlkFOGrGaKn9Yy8y0+kje
1TaYMvvTwItO3y3j
-----END CERTIFICATE-----