Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/62/43ff8f-cd54-4cf1-8aaf-4be18ef128b4/1/8N9qhZ75PC20xDBlTojLICGBgQI.roa
File:                     8N9qhZ75PC20xDBlTojLICGBgQI.roa (raw, json)
Hash identifier:          5kxus8oYUaDRbq3XTB332NteqjiEUoB4mwUusW7QnHA=
Subject key identifier:   F0:DF:6A:85:9E:F9:3C:2D:B4:C4:30:65:4E:88:CB:20:21:81:81:02
Certificate issuer:       /CN=94166b704843d3d9754095c83a91b493828200a2
Certificate serial:       018A9AAAF6CDE7C4FAC3088B86942DFF7F35
Authority key identifier: 94:16:6B:70:48:43:D3:D9:75:40:95:C8:3A:91:B4:93:82:82:00:A2
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/lBZrcEhD09l1QJXIOpG0k4KCAKI.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/62/43ff8f-cd54-4cf1-8aaf-4be18ef128b4/1/8N9qhZ75PC20xDBlTojLICGBgQI.roa
Signing time:             Fri 15 Sep 2023 21:06:50 +0000
ROA not before:           Fri 15 Sep 2023 21:06:50 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     834
IP address blocks:        171.22.144.0/24 maxlen: 24
                          171.22.146.0/24 maxlen: 24
                          171.22.147.0/24 maxlen: 24
                          31.43.174.0/24 maxlen: 24
                          91.103.120.0/21 maxlen: 24
                          185.235.71.0/24 maxlen: 24
                          95.111.128.0/20 maxlen: 20
                          95.111.144.0/20 maxlen: 20
                          185.149.12.0/24 maxlen: 24
                          185.149.13.0/24 maxlen: 24
                          185.149.14.0/24 maxlen: 24
                          185.149.14.0/23 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8a:9a:aa:f6:cd:e7:c4:fa:c3:08:8b:86:94:2d:ff:7f:35
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=94166b704843d3d9754095c83a91b493828200a2
        Validity
            Not Before: Sep 15 21:06:50 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=f0df6a859ef93c2db4c430654e88cb2021818102
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:98:cc:7d:f2:a2:8a:a5:c7:1f:69:78:cf:20:67:
                    3c:3b:0e:67:04:c3:2a:ec:27:f8:be:e9:32:f5:9c:
                    80:6e:f5:5a:74:55:af:b0:9c:7f:96:69:74:34:65:
                    07:6d:ee:2c:f4:92:dd:55:4f:2a:4f:60:f6:05:8a:
                    06:32:f2:3f:fe:2d:44:ce:6f:09:57:b6:15:b6:a0:
                    63:d3:4c:59:ce:20:e2:46:9d:3d:b3:70:18:e9:15:
                    7c:89:31:5f:29:55:39:ec:4e:6b:89:48:4e:00:38:
                    46:7d:c1:19:79:cf:53:a9:df:93:09:94:cb:62:19:
                    98:98:7d:0d:2f:34:20:c5:d4:2b:dc:1f:a4:fc:65:
                    41:de:60:92:3e:87:3c:a3:c9:16:0e:26:6e:f9:b1:
                    ef:54:69:c2:2d:2f:bd:95:41:17:db:3d:c9:06:f7:
                    02:cb:be:b8:15:e9:da:f7:7c:f6:b5:5f:8a:62:e8:
                    d6:18:01:6f:bb:24:41:51:25:f7:58:a6:bb:23:62:
                    85:19:a4:dc:c6:cd:6c:6f:01:ba:4c:97:8c:1c:ca:
                    c2:74:8b:30:87:8d:c4:2c:16:c1:98:1c:b1:88:8c:
                    25:62:36:d2:42:87:fa:aa:9b:00:a8:d0:d0:8e:67:
                    d8:0b:e6:5b:73:b0:ea:84:ce:17:51:14:2b:d7:00:
                    33:a9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F0:DF:6A:85:9E:F9:3C:2D:B4:C4:30:65:4E:88:CB:20:21:81:81:02
            X509v3 Authority Key Identifier:
                keyid:94:16:6B:70:48:43:D3:D9:75:40:95:C8:3A:91:B4:93:82:82:00:A2

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/lBZrcEhD09l1QJXIOpG0k4KCAKI.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/62/43ff8f-cd54-4cf1-8aaf-4be18ef128b4/1/8N9qhZ75PC20xDBlTojLICGBgQI.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/62/43ff8f-cd54-4cf1-8aaf-4be18ef128b4/1/lBZrcEhD09l1QJXIOpG0k4KCAKI.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  31.43.174.0/24
                  91.103.120.0/21
                  95.111.128.0/19
                  171.22.144.0/24
                  171.22.146.0/23
                  185.149.12.0/22
                  185.235.71.0/24

    Signature Algorithm: sha256WithRSAEncryption
         3c:42:89:f5:92:69:c7:e6:47:33:ed:27:34:63:f3:e9:a6:00:
         9a:72:46:9e:42:13:6b:7b:e3:78:c5:1b:3b:3f:1f:aa:9a:bb:
         ad:ae:49:c7:0f:bb:8a:98:21:fb:4a:bf:20:74:55:5c:c8:a8:
         ad:2e:76:18:12:58:46:f8:41:b1:5c:c3:3e:cd:3e:37:44:b9:
         ce:14:15:45:79:b5:a9:13:77:17:4d:55:f1:5a:c2:08:cd:49:
         96:f6:78:d5:f0:c1:6b:a7:44:5b:63:6d:69:62:34:3a:c0:2a:
         02:97:e7:a1:ab:f4:43:95:e6:a0:36:73:70:b2:9d:eb:07:a4:
         7e:7e:3c:10:3c:47:69:6e:c5:a1:00:30:e5:75:53:97:9a:38:
         9c:b3:79:6a:0b:88:79:50:2b:2d:fa:c2:6d:f9:57:fd:61:6a:
         54:e0:c9:6a:13:ba:fe:e8:3c:c4:28:64:ad:18:1d:a0:c0:da:
         96:aa:97:14:91:b9:de:37:c7:7a:13:d3:eb:2a:4b:c9:cd:eb:
         1d:dd:f4:b6:22:f5:44:70:da:5d:9f:f8:53:9f:61:52:50:af:
         10:cc:11:60:7e:95:d6:8f:3e:15:91:92:53:cb:11:8d:a7:61:
         bf:cb:12:f2:d6:b5:d7:20:dc:f9:5b:0f:9a:9e:c6:08:18:32:
         ab:11:41:c6
-----BEGIN CERTIFICATE-----
MIIFITCCBAmgAwIBAgISAYqaqvbN58T6wwiLhpQt/381MA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKDk0MTY2YjcwNDg0M2QzZDk3NTQwOTVjODNhOTFiNDkzODI4
MjAwYTIwHhcNMjMwOTE1MjEwNjUwWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EyhmMGRmNmE4NTllZjkzYzJkYjRjNDMwNjU0ZTg4Y2IyMDIxODE4MTAyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmMx98qKKpccfaXjPIGc8Ow5nBMMq
7Cf4vuky9ZyAbvVadFWvsJx/lml0NGUHbe4s9JLdVU8qT2D2BYoGMvI//i1Ezm8J
V7YVtqBj00xZziDiRp09s3AY6RV8iTFfKVU57E5riUhOADhGfcEZec9Tqd+TCZTL
YhmYmH0NLzQgxdQr3B+k/GVB3mCSPoc8o8kWDiZu+bHvVGnCLS+9lUEX2z3JBvcC
y764Fena93z2tV+KYujWGAFvuyRBUSX3WKa7I2KFGaTcxs1sbwG6TJeMHMrCdIsw
h43ELBbBmByxiIwlYjbSQof6qpsAqNDQjmfYC+Zbc7DqhM4XURQr1wAzqQIDAQAB
o4ICLTCCAikwHQYDVR0OBBYEFPDfaoWe+TwttMQwZU6IyyAhgYECMB8GA1UdIwQY
MBaAFJQWa3BIQ9PZdUCVyDqRtJOCggCiMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvbEJacmNFaEQwOWwxUUpYSU9wRzBrNEtDQUtJLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC82Mi80M2ZmOGYtY2Q1NC00Y2YxLThhYWYt
NGJlMThlZjEyOGI0LzEvOE45cWhaNzVQQzIweERCbFRvakxJQ0dCZ1FJLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC82Mi80M2ZmOGYtY2Q1NC00Y2YxLThhYWYtNGJlMThlZjEyOGI0
LzEvbEJacmNFaEQwOWwxUUpYSU9wRzBrNEtDQUtJLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMEMGCCsGAQUFBwEHAQH/BDQwMjAwBAIAATAqAwQAHyuuAwQD
W2d4AwQFX2+AAwQAqxaQAwQBqxaSAwQCuZUMAwQAuetHMA0GCSqGSIb3DQEBCwUA
A4IBAQA8Qon1kmnH5kcz7Sc0Y/PppgCackaeQhNre+N4xRs7Px+qmrutrknHD7uK
mCH7Sr8gdFVcyKitLnYYElhG+EGxXMM+zT43RLnOFBVFebWpE3cXTVXxWsIIzUmW
9njV8MFrp0RbY21pYjQ6wCoCl+ehq/RDleagNnNwsp3rB6R+fjwQPEdpbsWhADDl
dVOXmjics3lqC4h5UCst+sJt+Vf9YWpU4MlqE7r+6DzEKGStGB2gwNqWqpcUkbne
N8d6E9PrKkvJzesd3fS2IvVEcNpdn/hTn2FSUK8QzBFgfpXWjz4VkZJTyxGNp2G/
yxLy1rXXINz5Ww+ansYIGDKrEUHG
-----END CERTIFICATE-----