Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/bc/8dd85a-bf8f-425e-a24b-2ccedb966a58/1/NXU1nuMGvHZvRgiJ2sPJr5cJFGQ.roa
File:                     NXU1nuMGvHZvRgiJ2sPJr5cJFGQ.roa (raw, json)
Hash identifier:          PiZSMVcjax9BbnzfD4R3a79y3MdHRoGnZ1SD/zYodPA=
Subject key identifier:   35:75:35:9E:E3:06:BC:76:6F:46:08:89:DA:C3:C9:AF:97:09:14:64
Certificate issuer:       /CN=36c2a4b7d5d73c5b57046223bf30eb653005b0e2
Certificate serial:       018691FC96CE2EFC7D10A9D168211DDAC5F7
Authority key identifier: 36:C2:A4:B7:D5:D7:3C:5B:57:04:62:23:BF:30:EB:65:30:05:B0:E2
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/NsKkt9XXPFtXBGIjvzDrZTAFsOI.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/bc/8dd85a-bf8f-425e-a24b-2ccedb966a58/1/NXU1nuMGvHZvRgiJ2sPJr5cJFGQ.roa
Signing time:             Mon 27 Feb 2023 08:28:15 +0000
ROA not before:           Mon 27 Feb 2023 08:28:15 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     0
IP address blocks:        93.115.254.0/23 maxlen: 24
                          89.40.76.0/24 maxlen: 24
                          87.247.148.0/24 maxlen: 24
                          87.247.149.0/24 maxlen: 24
                          185.255.169.0/24 maxlen: 24
                          185.255.170.0/23 maxlen: 24
                          193.42.52.0/24 maxlen: 24
                          185.103.72.0/24 maxlen: 24
                          185.238.10.0/24 maxlen: 24
                          185.241.210.0/23 maxlen: 24
                          91.188.204.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:86:91:fc:96:ce:2e:fc:7d:10:a9:d1:68:21:1d:da:c5:f7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=36c2a4b7d5d73c5b57046223bf30eb653005b0e2
        Validity
            Not Before: Feb 27 08:28:15 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=3575359ee306bc766f460889dac3c9af97091464
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9f:3d:f7:e8:5a:ab:93:06:01:a1:8e:6b:c2:f1:
                    51:f8:c6:ba:2c:a1:a5:dd:f3:f7:bc:77:37:4e:da:
                    75:b6:a0:b9:ae:de:a5:5d:87:a6:81:20:bb:fb:92:
                    7c:dc:2c:7d:4a:f7:3e:3d:0c:97:cf:a0:91:93:d8:
                    80:78:b8:ba:49:1b:46:f7:3a:37:ef:33:6a:1c:56:
                    fa:39:72:d9:9e:26:b9:24:44:93:7e:83:70:dc:91:
                    e9:02:ce:fe:74:18:b4:da:c2:e2:72:d5:1f:42:4a:
                    33:92:8d:38:b5:64:69:e4:b9:22:c7:89:95:4a:ae:
                    ed:3e:5e:c0:49:69:c3:0f:bc:64:30:19:7e:d7:a5:
                    6f:b2:44:83:45:b0:9f:b9:8b:59:51:80:88:e7:a5:
                    b3:40:8a:7c:36:3e:46:1c:a1:43:05:a7:ee:c6:e0:
                    ac:ba:f0:fa:16:35:21:9d:da:97:8f:2b:27:ae:a8:
                    b8:d6:4b:c5:1d:49:f7:ae:86:f6:94:27:5e:0a:34:
                    92:d4:18:ef:ff:07:6d:0f:06:cd:58:bb:ce:94:1f:
                    a7:2c:c0:46:46:fa:cb:c6:2a:4c:f8:b8:b4:07:86:
                    31:4b:25:b4:e3:44:6b:e3:97:bd:cc:96:d2:7a:84:
                    4f:7d:7c:ec:2f:b5:02:b5:0c:b0:a7:88:5d:45:a0:
                    cb:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                35:75:35:9E:E3:06:BC:76:6F:46:08:89:DA:C3:C9:AF:97:09:14:64
            X509v3 Authority Key Identifier:
                keyid:36:C2:A4:B7:D5:D7:3C:5B:57:04:62:23:BF:30:EB:65:30:05:B0:E2

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/NsKkt9XXPFtXBGIjvzDrZTAFsOI.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/bc/8dd85a-bf8f-425e-a24b-2ccedb966a58/1/NXU1nuMGvHZvRgiJ2sPJr5cJFGQ.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/bc/8dd85a-bf8f-425e-a24b-2ccedb966a58/1/NsKkt9XXPFtXBGIjvzDrZTAFsOI.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  87.247.148.0/23
                  89.40.76.0/24
                  91.188.204.0/24
                  93.115.254.0/23
                  185.103.72.0/24
                  185.238.10.0/24
                  185.241.210.0/23
                  185.255.169.0-185.255.171.255
                  193.42.52.0/24

    Signature Algorithm: sha256WithRSAEncryption
         2b:b8:bc:a2:2c:5b:b3:95:53:1f:b7:ac:7a:37:c1:b6:3e:b9:
         35:17:93:7d:9d:05:39:42:64:fb:cb:02:47:ab:72:28:c7:ca:
         37:72:b0:ce:5a:63:8a:bd:56:7e:7f:38:27:53:d2:b6:ba:8b:
         07:f2:2b:72:36:1d:ba:4b:67:9c:6e:92:51:5b:da:21:77:d9:
         72:48:c4:d7:fb:2b:e4:35:16:64:ef:37:36:c3:73:4a:9d:6c:
         69:0e:ed:68:70:25:2c:0d:09:d8:ee:c8:cf:b0:07:6f:3e:85:
         93:36:5d:6b:d6:27:3d:a8:3d:93:a7:b5:a1:f4:d1:ac:09:82:
         15:a7:df:af:65:01:e4:19:0c:af:0f:22:56:9e:32:32:47:c5:
         8a:ec:94:2e:73:ec:90:fb:cb:44:c4:4a:40:a3:b0:ce:c9:80:
         e6:a1:07:cd:da:c3:00:50:73:39:ee:5b:5d:bc:1b:c1:64:0d:
         3e:a8:52:53:a2:81:48:4f:e2:e6:55:2f:a9:16:9a:97:3a:46:
         f2:38:20:7a:12:cf:62:50:97:6e:20:61:97:db:75:8b:fb:69:
         7b:9c:9c:c6:1a:23:71:9d:31:db:78:e4:69:c8:d2:54:4a:b7:
         21:de:6a:34:a4:11:fd:7b:2a:21:69:1b:47:90:09:72:9e:b2:
         31:ca:af:d7
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgISAYaR/JbOLvx9EKnRaCEd2sX3MA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKDM2YzJhNGI3ZDVkNzNjNWI1NzA0NjIyM2JmMzBlYjY1MzAw
NWIwZTIwHhcNMjMwMjI3MDgyODE1WhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygzNTc1MzU5ZWUzMDZiYzc2NmY0NjA4ODlkYWMzYzlhZjk3MDkxNDY0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnz336FqrkwYBoY5rwvFR+Ma6LKGl
3fP3vHc3Ttp1tqC5rt6lXYemgSC7+5J83Cx9Svc+PQyXz6CRk9iAeLi6SRtG9zo3
7zNqHFb6OXLZnia5JESTfoNw3JHpAs7+dBi02sLictUfQkozko04tWRp5Lkix4mV
Sq7tPl7ASWnDD7xkMBl+16VvskSDRbCfuYtZUYCI56WzQIp8Nj5GHKFDBafuxuCs
uvD6FjUhndqXjysnrqi41kvFHUn3rob2lCdeCjSS1Bjv/wdtDwbNWLvOlB+nLMBG
RvrLxipM+Li0B4YxSyW040Rr45e9zJbSeoRPfXzsL7UCtQywp4hdRaDLlQIDAQAB
o4ICQTCCAj0wHQYDVR0OBBYEFDV1NZ7jBrx2b0YIidrDya+XCRRkMB8GA1UdIwQY
MBaAFDbCpLfV1zxbVwRiI78w62UwBbDiMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvTnNLa3Q5WFhQRnRYQkdJanZ6RHJaVEFGc09JLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9iYy84ZGQ4NWEtYmY4Zi00MjVlLWEyNGIt
MmNjZWRiOTY2YTU4LzEvTlhVMW51TUd2SFp2UmdpSjJzUEpyNWNKRkdRLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9iYy84ZGQ4NWEtYmY4Zi00MjVlLWEyNGItMmNjZWRiOTY2YTU4
LzEvTnNLa3Q5WFhQRnRYQkdJanZ6RHJaVEFGc09JLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMFcGCCsGAQUFBwEHAQH/BEgwRjBEBAIAATA+AwQBV/eUAwQA
WShMAwQAW7zMAwQBXXP+AwQAuWdIAwQAue4KAwQBufHSMAwDBAC5/6kDBAK5/6gD
BADBKjQwDQYJKoZIhvcNAQELBQADggEBACu4vKIsW7OVUx+3rHo3wbY+uTUXk32d
BTlCZPvLAkercijHyjdysM5aY4q9Vn5/OCdT0ra6iwfyK3I2HbpLZ5xuklFb2iF3
2XJIxNf7K+Q1FmTvNzbDc0qdbGkO7WhwJSwNCdjuyM+wB28+hZM2XWvWJz2oPZOn
taH00awJghWn369lAeQZDK8PIlaeMjJHxYrslC5z7JD7y0TESkCjsM7JgOahB83a
wwBQcznuW128G8FkDT6oUlOigUhP4uZVL6kWmpc6RvI4IHoSz2JQl24gYZfbdYv7
aXucnMYaI3GdMdt45GnI0lRKtyHeajSkEf17KiFpG0eQCXKesjHKr9c=
-----END CERTIFICATE-----