Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/a5/61ec7d-8df6-4ffe-b637-5b09a6743375/1/OX86kzT3YEWpRDM55m9L48dlRbM.roa
File:                     OX86kzT3YEWpRDM55m9L48dlRbM.roa (raw, json)
Hash identifier:          ANBpi8FZyKEndIG0iFZUwdZ0tkuTisRwlQ424MJKWjI=
Subject key identifier:   39:7F:3A:93:34:F7:60:45:A9:44:33:39:E6:6F:4B:E3:C7:65:45:B3
Certificate issuer:       /CN=ff3ed3d4d47b8e825fbfd079482f7a0c21dc91ef
Certificate serial:       0185719E681A8BC8A83FD5DAF97A5CAD14AB
Authority key identifier: FF:3E:D3:D4:D4:7B:8E:82:5F:BF:D0:79:48:2F:7A:0C:21:DC:91:EF
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/_z7T1NR7joJfv9B5SC96DCHcke8.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/a5/61ec7d-8df6-4ffe-b637-5b09a6743375/1/OX86kzT3YEWpRDM55m9L48dlRbM.roa
Signing time:             Mon 02 Jan 2023 08:34:44 +0000
ROA not before:           Mon 02 Jan 2023 08:34:44 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     39724
IP address blocks:        85.222.168.0/21 maxlen: 24
                          185.55.157.0/24 maxlen: 24
                          185.55.158.0/24 maxlen: 24
                          185.55.158.0/23 maxlen: 23
                          185.55.156.0/23 maxlen: 23
                          185.55.156.0/24 maxlen: 24
                          185.55.156.0/22 maxlen: 22
                          185.55.159.0/24 maxlen: 24
                          77.247.101.0/24 maxlen: 24
                          77.247.102.0/24 maxlen: 24
                          77.247.102.0/23 maxlen: 23
                          77.247.100.0/22 maxlen: 22
                          77.247.100.0/23 maxlen: 23
                          77.247.100.0/24 maxlen: 24
                          77.247.103.0/24 maxlen: 24
                          2a0d:a6c2::/32 maxlen: 32
                          2a0d:a6c6::/32 maxlen: 32
                          2a0d:a6c7::/32 maxlen: 32
                          2a0d:a6c1::/32 maxlen: 32
                          2a0d:a6c4::/32 maxlen: 32
                          2a0d:a6c0::/32 maxlen: 32
                          2a0d:a6c5::/32 maxlen: 32
                          2a0d:a6c3::/32 maxlen: 32
                          2a0d:a6c0::/29 maxlen: 29

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:85:71:9e:68:1a:8b:c8:a8:3f:d5:da:f9:7a:5c:ad:14:ab
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ff3ed3d4d47b8e825fbfd079482f7a0c21dc91ef
        Validity
            Not Before: Jan  2 08:34:44 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=397f3a9334f76045a9443339e66f4be3c76545b3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:80:f8:45:ef:a7:09:ae:77:22:26:89:91:3d:fa:
                    d5:3b:15:a5:d0:4a:59:44:b7:c4:22:69:cf:9b:a9:
                    8b:cd:b5:15:d9:15:b9:4c:27:20:4a:b7:9b:cc:91:
                    92:ef:e8:b7:b2:b6:c9:c8:4e:17:47:ff:d7:e0:28:
                    27:3d:ae:ea:88:5e:4d:c1:ef:97:d9:bf:b7:ce:be:
                    b0:da:b1:92:26:fe:82:11:d2:24:0e:73:8f:d5:96:
                    2d:0a:4c:84:6c:3d:eb:f5:cf:3f:25:64:55:36:7b:
                    1f:64:7a:6d:c8:d0:ef:92:dc:cd:3d:1f:89:34:9f:
                    6d:9b:70:6c:64:80:c5:69:fc:82:2c:cf:75:19:51:
                    ea:79:67:ae:8d:b9:ab:df:3a:91:cd:be:f8:12:83:
                    10:ad:c6:c1:f7:65:0b:36:77:71:29:6e:1b:c6:ec:
                    bb:7e:4c:79:9e:83:d1:ae:68:53:8c:b1:91:44:3c:
                    e2:49:7d:6e:6b:32:a5:36:41:9c:15:9b:e9:44:25:
                    7f:b2:87:2c:57:9f:5b:0a:f0:4f:77:ef:b8:80:9f:
                    68:31:39:31:3f:13:c5:4c:b7:3b:11:4b:29:c5:52:
                    1d:2d:f7:61:5d:83:22:cb:0e:28:e9:1b:53:3d:2c:
                    f1:25:c2:23:e8:3e:65:2a:40:25:7d:79:2b:57:c0:
                    a1:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                39:7F:3A:93:34:F7:60:45:A9:44:33:39:E6:6F:4B:E3:C7:65:45:B3
            X509v3 Authority Key Identifier:
                keyid:FF:3E:D3:D4:D4:7B:8E:82:5F:BF:D0:79:48:2F:7A:0C:21:DC:91:EF

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/_z7T1NR7joJfv9B5SC96DCHcke8.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/a5/61ec7d-8df6-4ffe-b637-5b09a6743375/1/OX86kzT3YEWpRDM55m9L48dlRbM.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/a5/61ec7d-8df6-4ffe-b637-5b09a6743375/1/_z7T1NR7joJfv9B5SC96DCHcke8.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  77.247.100.0/22
                  85.222.168.0/21
                  185.55.156.0/22
                IPv6:
                  2a0d:a6c0::/29

    Signature Algorithm: sha256WithRSAEncryption
         4e:ea:b1:06:85:e5:42:98:d9:1b:c7:5d:ee:27:cf:74:dd:51:
         52:05:32:e5:db:80:80:1d:09:b8:c6:c8:2e:53:1b:40:1e:cb:
         da:9b:ee:d8:75:01:9f:75:b3:c9:31:07:89:5d:de:be:ce:9e:
         4b:a1:4f:82:31:b2:aa:90:f0:a4:d0:0f:30:a1:e6:c8:49:af:
         17:60:07:38:5f:b0:e7:ca:fb:6e:0a:c7:bf:c6:df:f7:fa:67:
         5a:68:49:3d:21:4d:51:89:9c:8b:f6:16:75:a9:97:a9:36:90:
         75:bc:23:fc:1f:bf:f4:85:1d:3f:56:23:d1:99:cb:dc:75:ad:
         7b:84:a1:49:2b:11:7b:15:34:f2:88:b2:39:99:f2:d8:fc:ed:
         5a:71:58:84:05:ac:dc:68:6e:1c:df:13:ac:3f:5e:0d:85:bb:
         44:10:b7:8d:ea:1b:99:f5:f5:64:68:80:ae:90:5b:c0:22:55:
         99:90:d6:ed:de:40:72:a0:96:d0:17:fd:9d:22:2b:1b:6c:45:
         5c:20:4f:d1:e9:7e:bb:25:b6:0d:05:4e:1b:95:b8:d8:3a:ae:
         d0:8e:98:ab:ed:d7:69:54:02:27:a3:b5:5c:18:82:e6:c0:66:
         8e:21:7c:56:61:11:12:83:6d:6a:14:7e:55:4a:9c:11:74:2c:
         12:86:d1:79
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgISAYVxnmgai8ioP9Xa+XpcrRSrMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGZmM2VkM2Q0ZDQ3YjhlODI1ZmJmZDA3OTQ4MmY3YTBjMjFk
YzkxZWYwHhcNMjMwMTAyMDgzNDQ0WhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygzOTdmM2E5MzM0Zjc2MDQ1YTk0NDMzMzllNjZmNGJlM2M3NjU0NWIzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgPhF76cJrnciJomRPfrVOxWl0EpZ
RLfEImnPm6mLzbUV2RW5TCcgSrebzJGS7+i3srbJyE4XR//X4CgnPa7qiF5Nwe+X
2b+3zr6w2rGSJv6CEdIkDnOP1ZYtCkyEbD3r9c8/JWRVNnsfZHptyNDvktzNPR+J
NJ9tm3BsZIDFafyCLM91GVHqeWeujbmr3zqRzb74EoMQrcbB92ULNndxKW4bxuy7
fkx5noPRrmhTjLGRRDziSX1uazKlNkGcFZvpRCV/socsV59bCvBPd++4gJ9oMTkx
PxPFTLc7EUspxVIdLfdhXYMiyw4o6RtTPSzxJcIj6D5lKkAlfXkrV8CheQIDAQAB
o4ICJDCCAiAwHQYDVR0OBBYEFDl/OpM092BFqUQzOeZvS+PHZUWzMB8GA1UdIwQY
MBaAFP8+09TUe46CX7/QeUgvegwh3JHvMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvX3o3VDFOUjdqb0pmdjlCNVNDOTZEQ0hja2U4LmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9hNS82MWVjN2QtOGRmNi00ZmZlLWI2Mzct
NWIwOWE2NzQzMzc1LzEvT1g4Nmt6VDNZRVdwUkRNNTVtOUw0OGRsUmJNLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9hNS82MWVjN2QtOGRmNi00ZmZlLWI2MzctNWIwOWE2NzQzMzc1
LzEvX3o3VDFOUjdqb0pmdjlCNVNDOTZEQ0hja2U4LmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMDoGCCsGAQUFBwEHAQH/BCswKTAYBAIAATASAwQCTfdkAwQD
Vd6oAwQCuTecMA0EAgACMAcDBQMqDabAMA0GCSqGSIb3DQEBCwUAA4IBAQBO6rEG
heVCmNkbx13uJ8903VFSBTLl24CAHQm4xsguUxtAHsvam+7YdQGfdbPJMQeJXd6+
zp5LoU+CMbKqkPCk0A8woebISa8XYAc4X7DnyvtuCse/xt/3+mdaaEk9IU1RiZyL
9hZ1qZepNpB1vCP8H7/0hR0/ViPRmcvcda17hKFJKxF7FTTyiLI5mfLY/O1acViE
BazcaG4c3xOsP14NhbtEELeN6huZ9fVkaICukFvAIlWZkNbt3kByoJbQF/2dIisb
bEVcIE/R6X67JbYNBU4blbjYOq7Qjpir7ddpVAIno7VcGILmwGaOIXxWYRESg21q
FH5VSpwRdCwShtF5
-----END CERTIFICATE-----