Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/03/913a3a-f550-46f0-acc7-cd3ca5975712/1/HzJ3nyvRlXwPXBzSPHe-bNyeB64.roa
File:                     HzJ3nyvRlXwPXBzSPHe-bNyeB64.roa (raw, json)
Hash identifier:          vugPansu4bCYwqaN8tuInBzIIzVMjJ2YNj1v5F6L85o=
Subject key identifier:   1F:32:77:9F:2B:D1:95:7C:0F:5C:1C:D2:3C:77:BE:6C:DC:9E:07:AE
Certificate issuer:       /CN=22c4ac3e3c43d70d05349c815baadd38ad775e9d
Certificate serial:       01888BFD97A412577C78AD77EFEBEF0055C2
Authority key identifier: 22:C4:AC:3E:3C:43:D7:0D:05:34:9C:81:5B:AA:DD:38:AD:77:5E:9D
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/IsSsPjxD1w0FNJyBW6rdOK13Xp0.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/03/913a3a-f550-46f0-acc7-cd3ca5975712/1/HzJ3nyvRlXwPXBzSPHe-bNyeB64.roa
Signing time:             Mon 05 Jun 2023 14:37:12 +0000
ROA not before:           Mon 05 Jun 2023 14:37:12 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     207459
IP address blocks:        91.92.24.0/24 maxlen: 24
                          91.92.24.0/23 maxlen: 23
                          91.92.25.0/24 maxlen: 24
                          193.149.29.0/24 maxlen: 24
                          193.149.30.0/24 maxlen: 24
                          193.149.28.0/22 maxlen: 22
                          193.149.31.0/24 maxlen: 24
                          193.149.28.0/24 maxlen: 24
                          171.22.19.0/24 maxlen: 24
                          185.221.67.0/24 maxlen: 24
                          87.120.87.0/24 maxlen: 24
                          194.180.50.0/24 maxlen: 24
                          93.123.116.0/24 maxlen: 24
                          176.125.255.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:88:8b:fd:97:a4:12:57:7c:78:ad:77:ef:eb:ef:00:55:c2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=22c4ac3e3c43d70d05349c815baadd38ad775e9d
        Validity
            Not Before: Jun  5 14:37:12 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=1f32779f2bd1957c0f5c1cd23c77be6cdc9e07ae
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9f:54:91:45:0c:d4:86:ae:14:46:56:d6:c9:7b:
                    82:a0:53:1b:75:2e:f6:59:2d:cf:31:6a:bc:0e:34:
                    10:7a:66:3f:15:c6:e2:9a:24:1c:d1:7b:c3:04:3d:
                    c5:c7:91:46:b9:ef:0f:4d:f8:6b:d4:af:c5:12:4d:
                    bd:ca:c7:fd:41:8a:6b:94:94:b0:32:38:9a:c9:33:
                    c7:13:38:8b:6e:61:02:c1:8f:e8:76:5e:52:58:cb:
                    17:a2:75:13:f7:2b:8e:ca:a5:67:69:2d:7c:dc:b1:
                    82:d3:ec:40:aa:29:34:2b:87:eb:82:60:8d:fb:bd:
                    9b:00:87:22:63:c0:49:e9:45:e2:59:7e:96:a0:19:
                    37:43:03:63:13:4a:3e:89:57:a9:81:ec:2c:9e:c4:
                    7a:79:b2:b6:09:9f:70:ce:33:35:77:d3:08:fe:23:
                    9d:ef:41:e7:95:4d:33:93:0c:48:e9:19:ea:6b:05:
                    04:b7:a2:34:a0:d9:1b:5b:b3:84:91:3a:d3:8c:03:
                    f7:69:f8:6f:02:26:b7:47:2b:6b:2f:7a:0d:95:9e:
                    65:a7:f9:d1:43:4f:08:ee:89:7c:98:c4:04:61:0c:
                    68:ea:0b:65:ea:fc:f2:38:7e:d5:0b:64:08:af:d4:
                    2a:67:5c:76:c6:f4:b1:47:b5:7e:d9:68:0c:e4:34:
                    1a:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1F:32:77:9F:2B:D1:95:7C:0F:5C:1C:D2:3C:77:BE:6C:DC:9E:07:AE
            X509v3 Authority Key Identifier:
                keyid:22:C4:AC:3E:3C:43:D7:0D:05:34:9C:81:5B:AA:DD:38:AD:77:5E:9D

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/IsSsPjxD1w0FNJyBW6rdOK13Xp0.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/03/913a3a-f550-46f0-acc7-cd3ca5975712/1/HzJ3nyvRlXwPXBzSPHe-bNyeB64.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/03/913a3a-f550-46f0-acc7-cd3ca5975712/1/IsSsPjxD1w0FNJyBW6rdOK13Xp0.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  87.120.87.0/24
                  91.92.24.0/23
                  93.123.116.0/24
                  171.22.19.0/24
                  176.125.255.0/24
                  185.221.67.0/24
                  193.149.28.0/22
                  194.180.50.0/24

    Signature Algorithm: sha256WithRSAEncryption
         28:3b:44:8c:09:3c:6f:69:5e:58:f2:dd:bc:d3:c1:05:e2:12:
         23:a6:df:3a:77:a1:62:ce:bf:1e:6b:76:ab:1c:4a:20:52:87:
         93:d9:40:30:70:02:10:b7:08:32:15:12:a5:4a:2f:d7:2c:22:
         e1:86:70:cf:61:f8:e4:eb:91:02:22:33:56:71:45:fa:b4:e3:
         66:37:ca:3d:78:03:28:8d:60:5d:d8:c1:36:63:a4:43:7f:55:
         f1:dc:28:a1:10:f6:02:26:74:bc:b0:fe:a0:4a:b4:ce:b2:79:
         1e:8f:4e:d1:07:73:68:71:a7:3c:f6:c1:9c:e8:f4:e3:9c:99:
         80:83:93:61:c3:a6:d3:5d:2a:15:53:e4:12:af:24:67:68:9a:
         37:75:32:e0:d4:6f:5f:bb:1b:36:ec:60:fb:01:87:84:9a:36:
         aa:60:e4:55:c2:a8:b4:7d:aa:17:b7:05:fa:11:67:cd:2b:04:
         35:de:95:e9:d3:2b:f8:8b:78:25:01:26:ff:fc:fe:23:25:aa:
         35:38:63:82:fb:d8:16:31:a8:ca:f1:36:aa:38:94:d2:9f:da:
         96:35:30:ec:54:39:f7:e7:61:90:1c:40:6a:ad:73:b3:77:32:
         38:38:45:b2:fc:d2:9d:59:98:da:23:f6:de:e4:57:f9:1c:dc:
         b7:63:49:49
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgISAYiL/ZekEld8eK137+vvAFXCMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKDIyYzRhYzNlM2M0M2Q3MGQwNTM0OWM4MTViYWFkZDM4YWQ3
NzVlOWQwHhcNMjMwNjA1MTQzNzEyWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygxZjMyNzc5ZjJiZDE5NTdjMGY1YzFjZDIzYzc3YmU2Y2RjOWUwN2FlMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1SRRQzUhq4URlbWyXuCoFMbdS72
WS3PMWq8DjQQemY/FcbimiQc0XvDBD3Fx5FGue8PTfhr1K/FEk29ysf9QYprlJSw
MjiayTPHEziLbmECwY/odl5SWMsXonUT9yuOyqVnaS183LGC0+xAqik0K4frgmCN
+72bAIciY8BJ6UXiWX6WoBk3QwNjE0o+iVepgewsnsR6ebK2CZ9wzjM1d9MI/iOd
70HnlU0zkwxI6RnqawUEt6I0oNkbW7OEkTrTjAP3afhvAia3RytrL3oNlZ5lp/nR
Q08I7ol8mMQEYQxo6gtl6vzyOH7VC2QIr9QqZ1x2xvSxR7V+2WgM5DQanwIDAQAB
o4ICMzCCAi8wHQYDVR0OBBYEFB8yd58r0ZV8D1wc0jx3vmzcngeuMB8GA1UdIwQY
MBaAFCLErD48Q9cNBTScgVuq3Titd16dMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvSXNTc1BqeEQxdzBGTkp5Qlc2cmRPSzEzWHAwLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC8wMy85MTNhM2EtZjU1MC00NmYwLWFjYzct
Y2QzY2E1OTc1NzEyLzEvSHpKM255dlJsWHdQWEJ6U1BIZS1iTnllQjY0LnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC8wMy85MTNhM2EtZjU1MC00NmYwLWFjYzctY2QzY2E1OTc1NzEy
LzEvSXNTc1BqeEQxdzBGTkp5Qlc2cmRPSzEzWHAwLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMEkGCCsGAQUFBwEHAQH/BDowODA2BAIAATAwAwQAV3hXAwQB
W1wYAwQAXXt0AwQAqxYTAwQAsH3/AwQAud1DAwQCwZUcAwQAwrQyMA0GCSqGSIb3
DQEBCwUAA4IBAQAoO0SMCTxvaV5Y8t2808EF4hIjpt86d6Fizr8ea3arHEogUoeT
2UAwcAIQtwgyFRKlSi/XLCLhhnDPYfjk65ECIjNWcUX6tONmN8o9eAMojWBd2ME2
Y6RDf1Xx3CihEPYCJnS8sP6gSrTOsnkej07RB3Nocac89sGc6PTjnJmAg5Nhw6bT
XSoVU+QSryRnaJo3dTLg1G9fuxs27GD7AYeEmjaqYORVwqi0faoXtwX6EWfNKwQ1
3pXp0yv4i3glASb//P4jJao1OGOC+9gWMajK8TaqOJTSn9qWNTDsVDn352GQHEBq
rXOzdzI4OEWy/NKdWZjaI/be5Ff5HNy3Y0lJ
-----END CERTIFICATE-----