Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/1d/409b7e-1275-43ed-af0f-52f97b277d1f/1/8lYRDnUYP9QfS_lw9bAlPt_xBsM.roa
File:                     8lYRDnUYP9QfS_lw9bAlPt_xBsM.roa (raw, json)
Hash identifier:          hwcasFVv+Tx7tGlGdWPpgvu5C2o9RThQ8tWqdI4b5to=
Subject key identifier:   F2:56:11:0E:75:18:3F:D4:1F:4B:F9:70:F5:B0:25:3E:DF:F1:06:C3
Certificate issuer:       /CN=52dc9c218b510c07bc6659b09fbd32afe68abfd2
Certificate serial:       018BD21EE27A10B59082A7E2090657E615AB
Authority key identifier: 52:DC:9C:21:8B:51:0C:07:BC:66:59:B0:9F:BD:32:AF:E6:8A:BF:D2
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/UtycIYtRDAe8Zlmwn70yr-aKv9I.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/1d/409b7e-1275-43ed-af0f-52f97b277d1f/1/8lYRDnUYP9QfS_lw9bAlPt_xBsM.roa
Signing time:             Wed 15 Nov 2023 08:35:21 +0000
ROA not before:           Wed 15 Nov 2023 08:35:21 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     47869
IP address blocks:        109.235.48.0/21 maxlen: 21
                          178.239.48.0/20 maxlen: 20
                          94.185.80.0/21 maxlen: 21
                          91.208.164.0/24 maxlen: 24
                          194.110.67.0/24 maxlen: 24
                          37.46.192.0/22 maxlen: 22
                          91.205.232.0/22 maxlen: 22
                          37.46.199.0/24 maxlen: 24
                          91.199.50.0/24 maxlen: 24
                          37.46.196.0/23 maxlen: 23
                          31.171.132.0/22 maxlen: 24
                          94.228.208.0/20 maxlen: 20
                          2a00:dd0::/32 maxlen: 48
                          2a00:dd0:bbbb::/48 maxlen: 48
                          2a00:dd0:aaaa::/48 maxlen: 48

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8b:d2:1e:e2:7a:10:b5:90:82:a7:e2:09:06:57:e6:15:ab
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=52dc9c218b510c07bc6659b09fbd32afe68abfd2
        Validity
            Not Before: Nov 15 08:35:21 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=f256110e75183fd41f4bf970f5b0253edff106c3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9c:09:7a:7d:cb:12:29:ab:04:89:20:ea:06:f6:
                    9d:52:1e:6c:0d:34:2a:57:86:24:86:b1:63:90:b4:
                    96:86:93:73:2a:69:a4:19:1f:4c:b3:a7:a2:0e:8e:
                    a0:6e:0c:d1:b3:f1:54:47:09:e6:3c:16:03:ca:ea:
                    91:6a:b6:47:be:b1:1e:f1:d8:8d:f6:1c:39:5a:e1:
                    9c:f7:21:89:04:e4:22:71:35:f8:18:a1:49:dc:25:
                    4e:d2:d6:a5:cd:06:03:6f:50:71:87:2e:38:d9:fe:
                    e7:fd:23:5f:c7:6d:e1:00:4f:c2:85:39:14:fc:c5:
                    ef:94:47:93:08:a6:ce:63:17:27:45:e3:36:0b:51:
                    26:6c:71:58:4a:10:5b:42:ce:9b:0b:40:28:98:0d:
                    5c:6c:e9:72:bd:a1:1b:9b:75:bf:a4:8a:ba:9a:6f:
                    b1:3b:b3:d7:9b:86:98:ba:f4:b6:15:23:70:79:07:
                    1f:f6:27:ed:e8:60:12:9c:e5:43:21:8e:90:65:8d:
                    d1:2a:af:91:76:ed:b0:8f:62:e5:70:b2:48:e8:fe:
                    c0:f1:fc:66:06:3d:32:cc:56:43:1f:20:23:05:0f:
                    f3:38:6b:aa:38:38:d8:5a:54:9f:1c:fb:95:e4:06:
                    d8:eb:91:1d:63:dc:53:ee:cd:a5:20:70:46:89:ec:
                    a7:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F2:56:11:0E:75:18:3F:D4:1F:4B:F9:70:F5:B0:25:3E:DF:F1:06:C3
            X509v3 Authority Key Identifier:
                keyid:52:DC:9C:21:8B:51:0C:07:BC:66:59:B0:9F:BD:32:AF:E6:8A:BF:D2

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/UtycIYtRDAe8Zlmwn70yr-aKv9I.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/1d/409b7e-1275-43ed-af0f-52f97b277d1f/1/8lYRDnUYP9QfS_lw9bAlPt_xBsM.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/1d/409b7e-1275-43ed-af0f-52f97b277d1f/1/UtycIYtRDAe8Zlmwn70yr-aKv9I.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  31.171.132.0/22
                  37.46.192.0-37.46.197.255
                  37.46.199.0/24
                  91.199.50.0/24
                  91.205.232.0/22
                  91.208.164.0/24
                  94.185.80.0/21
                  94.228.208.0/20
                  109.235.48.0/21
                  178.239.48.0/20
                  194.110.67.0/24
                IPv6:
                  2a00:dd0::/32

    Signature Algorithm: sha256WithRSAEncryption
         33:43:26:f4:48:c5:af:ff:e8:df:e7:c9:df:66:c0:0d:42:47:
         70:5a:d7:34:95:0a:cc:f9:5b:2c:09:28:c6:79:44:3c:08:c9:
         55:a3:5c:6e:94:56:5d:e8:fe:f3:b2:7a:f0:2a:fb:83:08:12:
         7e:fa:2b:f4:f5:19:29:a1:4b:22:07:91:98:aa:08:81:59:0e:
         ec:f0:8d:f5:68:da:d9:f3:25:27:65:e5:ef:d8:2e:5e:d2:e3:
         58:f9:c5:65:2c:f1:87:c2:82:6d:9c:d9:42:86:54:26:f9:cb:
         04:7e:27:46:fb:c6:4c:00:d6:52:b6:cd:b8:69:f7:63:18:b8:
         25:7b:22:18:c3:e4:86:da:a6:b3:c2:89:5c:36:fc:23:4d:b3:
         20:31:ac:97:0b:d2:f5:be:2b:dd:cb:48:6a:cb:e6:a3:4e:75:
         af:33:61:dd:be:07:96:2c:bd:a2:27:ea:10:29:31:45:e5:bc:
         04:52:40:2f:7d:c5:6f:f6:53:a8:50:fb:96:41:17:79:f6:6d:
         69:7b:9a:41:20:eb:00:24:05:51:2e:32:51:a4:79:ed:79:6c:
         73:f0:5e:ad:51:e8:a4:47:d0:ce:71:8d:21:78:2d:7a:cf:fb:
         30:60:c6:8b:04:c3:63:93:f5:fc:f1:03:51:17:61:54:26:bb:
         e4:02:f8:ec
-----BEGIN CERTIFICATE-----
MIIFUDCCBDigAwIBAgISAYvSHuJ6ELWQgqfiCQZX5hWrMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKDUyZGM5YzIxOGI1MTBjMDdiYzY2NTliMDlmYmQzMmFmZTY4
YWJmZDIwHhcNMjMxMTE1MDgzNTIxWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EyhmMjU2MTEwZTc1MTgzZmQ0MWY0YmY5NzBmNWIwMjUzZWRmZjEwNmMzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnAl6fcsSKasEiSDqBvadUh5sDTQq
V4YkhrFjkLSWhpNzKmmkGR9Ms6eiDo6gbgzRs/FURwnmPBYDyuqRarZHvrEe8diN
9hw5WuGc9yGJBOQicTX4GKFJ3CVO0talzQYDb1Bxhy442f7n/SNfx23hAE/ChTkU
/MXvlEeTCKbOYxcnReM2C1EmbHFYShBbQs6bC0AomA1cbOlyvaEbm3W/pIq6mm+x
O7PXm4aYuvS2FSNweQcf9ift6GASnOVDIY6QZY3RKq+Rdu2wj2LlcLJI6P7A8fxm
Bj0yzFZDHyAjBQ/zOGuqODjYWlSfHPuV5AbY65EdY9xT7s2lIHBGieynuwIDAQAB
o4ICXDCCAlgwHQYDVR0OBBYEFPJWEQ51GD/UH0v5cPWwJT7f8QbDMB8GA1UdIwQY
MBaAFFLcnCGLUQwHvGZZsJ+9Mq/mir/SMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvVXR5Y0lZdFJEQWU4Wmxtd243MHlyLWFLdjlJLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC8xZC80MDliN2UtMTI3NS00M2VkLWFmMGYt
NTJmOTdiMjc3ZDFmLzEvOGxZUkRuVVlQOVFmU19sdzliQWxQdF94QnNNLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC8xZC80MDliN2UtMTI3NS00M2VkLWFmMGYtNTJmOTdiMjc3ZDFm
LzEvVXR5Y0lZdFJEQWU4Wmxtd243MHlyLWFLdjlJLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMHIGCCsGAQUFBwEHAQH/BGMwYTBQBAIAATBKAwQCH6uEMAwD
BAYlLsADBAElLsQDBAAlLscDBABbxzIDBAJbzegDBABb0KQDBANeuVADBARe5NAD
BANt6zADBASy7zADBADCbkMwDQQCAAIwBwMFACoADdAwDQYJKoZIhvcNAQELBQAD
ggEBADNDJvRIxa//6N/nyd9mwA1CR3Ba1zSVCsz5WywJKMZ5RDwIyVWjXG6UVl3o
/vOyevAq+4MIEn76K/T1GSmhSyIHkZiqCIFZDuzwjfVo2tnzJSdl5e/YLl7S41j5
xWUs8YfCgm2c2UKGVCb5ywR+J0b7xkwA1lK2zbhp92MYuCV7IhjD5IbaprPCiVw2
/CNNsyAxrJcL0vW+K93LSGrL5qNOda8zYd2+B5YsvaIn6hApMUXlvARSQC99xW/2
U6hQ+5ZBF3n2bWl7mkEg6wAkBVEuMlGkee15bHPwXq1R6KRH0M5xjSF4LXrP+zBg
xosEw2OT9fzxA1EXYVQmu+QC+Ow=
-----END CERTIFICATE-----