Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/c5/8e121d-73b3-438a-83c4-6fc343d77cd2/1/KNFivq_cwRBS5ajJLpTnwiS6_fU.roa
File:                     KNFivq_cwRBS5ajJLpTnwiS6_fU.roa (raw, json)
Hash identifier:          ZLvlEjAMH3vcahi8LKqcFrBIxRZpey8AFPiCh+eJZlU=
Subject key identifier:   28:D1:62:BE:AF:DC:C1:10:52:E5:A8:C9:2E:94:E7:C2:24:BA:FD:F5
Certificate issuer:       /CN=b4f96345d3f22edb395d247f7b86d2d73e4a0091
Certificate serial:       018AA7253DF5864FE8D5BCC33B41EF56ABDE
Authority key identifier: B4:F9:63:45:D3:F2:2E:DB:39:5D:24:7F:7B:86:D2:D7:3E:4A:00:91
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/tPljRdPyLts5XSR_e4bS1z5KAJE.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/c5/8e121d-73b3-438a-83c4-6fc343d77cd2/1/KNFivq_cwRBS5ajJLpTnwiS6_fU.roa
Signing time:             Mon 18 Sep 2023 07:15:50 +0000
ROA not before:           Mon 18 Sep 2023 07:15:50 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     12608
IP address blocks:        2a0c:7440::/29 maxlen: 29
                          2a0f:5580::/29 maxlen: 29
                          2a0f:2380::/29 maxlen: 29
                          2a0f:a700::/29 maxlen: 29
                          2a0d:88c0::/29 maxlen: 29
                          2a0f:7300::/29 maxlen: 29
                          2a09:5300::/29 maxlen: 29
                          2a0d:8340::/29 maxlen: 29
                          2a0c:7540::/29 maxlen: 29
                          2a0b:a300::/32 maxlen: 32
                          2a0f:7b80::/29 maxlen: 29
                          2a0f:7100::/29 maxlen: 29

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8a:a7:25:3d:f5:86:4f:e8:d5:bc:c3:3b:41:ef:56:ab:de
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=b4f96345d3f22edb395d247f7b86d2d73e4a0091
        Validity
            Not Before: Sep 18 07:15:50 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=28d162beafdcc11052e5a8c92e94e7c224bafdf5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:8f:0d:b4:b4:68:09:a9:61:e1:cb:a6:17:ad:42:
                    97:a8:2a:36:29:92:dd:60:ae:ef:be:ef:47:ba:60:
                    4d:f4:6a:7a:b0:bb:ee:60:04:b0:11:9d:84:03:3b:
                    45:ea:5b:2b:45:3d:c3:49:df:bd:78:8f:b5:5c:6c:
                    56:0b:ed:21:d3:2b:93:02:c0:30:42:40:fa:c0:ee:
                    00:3d:15:82:4f:b3:f3:18:22:2a:57:95:a2:c1:52:
                    15:59:0d:76:54:d7:d0:66:db:b4:89:2b:ad:48:ba:
                    d1:73:fa:a7:94:50:63:f6:52:62:ae:10:f0:68:c3:
                    68:03:90:8a:83:8a:ef:d2:72:f8:05:25:5c:46:85:
                    24:d2:a1:20:55:ee:02:5e:5c:8b:cb:f0:2d:52:1a:
                    de:ca:19:22:f7:d8:cb:b8:0e:b9:53:cb:a2:f0:f3:
                    4c:86:36:34:28:84:c8:e3:8f:9e:2c:c9:d2:bc:18:
                    57:ef:25:93:6d:54:6b:05:42:48:e9:3d:65:ac:4a:
                    ce:8c:e9:ef:96:06:49:f4:7d:22:dd:33:cb:ca:ed:
                    02:7f:ed:7e:b5:2a:af:bc:4d:62:d5:93:70:cd:fb:
                    f4:c0:03:3c:32:d0:d4:6e:cc:cc:ef:15:46:49:d9:
                    58:9f:58:79:21:bf:cd:b1:62:11:45:ba:e6:bd:6d:
                    d9:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                28:D1:62:BE:AF:DC:C1:10:52:E5:A8:C9:2E:94:E7:C2:24:BA:FD:F5
            X509v3 Authority Key Identifier:
                keyid:B4:F9:63:45:D3:F2:2E:DB:39:5D:24:7F:7B:86:D2:D7:3E:4A:00:91

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/tPljRdPyLts5XSR_e4bS1z5KAJE.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/c5/8e121d-73b3-438a-83c4-6fc343d77cd2/1/KNFivq_cwRBS5ajJLpTnwiS6_fU.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/c5/8e121d-73b3-438a-83c4-6fc343d77cd2/1/tPljRdPyLts5XSR_e4bS1z5KAJE.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv6:
                  2a09:5300::/29
                  2a0b:a300::/32
                  2a0c:7440::/29
                  2a0c:7540::/29
                  2a0d:8340::/29
                  2a0d:88c0::/29
                  2a0f:2380::/29
                  2a0f:5580::/29
                  2a0f:7100::/29
                  2a0f:7300::/29
                  2a0f:7b80::/29
                  2a0f:a700::/29

    Signature Algorithm: sha256WithRSAEncryption
         b7:f9:4c:4c:90:c2:6b:98:bf:f4:10:d7:c4:a0:c2:b5:c2:5a:
         17:b3:c6:48:47:76:c5:8a:37:fd:e1:f4:89:66:a7:6d:9e:a7:
         5b:54:56:bc:83:41:85:a8:4c:70:03:18:67:67:89:f9:1b:6e:
         ad:c9:7f:24:6e:7d:17:b1:5c:7f:14:28:32:c8:a0:ad:2b:07:
         88:81:78:da:ed:ce:c1:3b:ec:5c:88:05:c7:cf:c7:1b:64:cd:
         c2:a2:42:70:e6:8a:00:af:91:25:8b:26:f1:1a:f1:fa:5d:7c:
         34:00:17:5a:a0:9c:36:d3:14:6f:ac:2c:7e:79:90:ed:94:7e:
         37:28:2d:66:a5:6e:e1:e0:76:5b:bc:c8:77:b7:82:87:2d:4e:
         c3:ae:52:b1:a3:f0:1a:25:3e:9d:74:15:c3:44:eb:63:ff:22:
         f7:63:6e:cd:ab:95:7a:e9:e0:a0:a1:a2:61:53:6d:02:62:2a:
         6c:42:8f:e7:95:3d:97:6d:c1:8e:d3:19:c2:c3:b9:10:00:0c:
         a0:45:3b:2f:84:b3:23:4a:6b:65:1d:e6:9d:86:2e:1e:a5:0f:
         86:f2:6f:4a:f1:6e:8f:17:04:6b:7f:e1:4a:ed:bd:f7:79:4c:
         a1:49:12:12:9f:60:d3:5d:3d:e9:97:7d:82:e8:89:63:eb:76:
         f6:24:04:b5
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgISAYqnJT31hk/o1bzDO0HvVqveMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGI0Zjk2MzQ1ZDNmMjJlZGIzOTVkMjQ3ZjdiODZkMmQ3M2U0
YTAwOTEwHhcNMjMwOTE4MDcxNTUwWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygyOGQxNjJiZWFmZGNjMTEwNTJlNWE4YzkyZTk0ZTdjMjI0YmFmZGY1MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjw20tGgJqWHhy6YXrUKXqCo2KZLd
YK7vvu9HumBN9Gp6sLvuYASwEZ2EAztF6lsrRT3DSd+9eI+1XGxWC+0h0yuTAsAw
QkD6wO4APRWCT7PzGCIqV5WiwVIVWQ12VNfQZtu0iSutSLrRc/qnlFBj9lJirhDw
aMNoA5CKg4rv0nL4BSVcRoUk0qEgVe4CXlyLy/AtUhreyhki99jLuA65U8ui8PNM
hjY0KITI44+eLMnSvBhX7yWTbVRrBUJI6T1lrErOjOnvlgZJ9H0i3TPLyu0Cf+1+
tSqvvE1i1ZNwzfv0wAM8MtDUbszM7xVGSdlYn1h5Ib/NsWIRRbrmvW3ZpQIDAQAB
o4ICVzCCAlMwHQYDVR0OBBYEFCjRYr6v3MEQUuWoyS6U58Ikuv31MB8GA1UdIwQY
MBaAFLT5Y0XT8i7bOV0kf3uG0tc+SgCRMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvdFBsalJkUHlMdHM1WFNSX2U0YlMxejVLQUpFLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9jNS84ZTEyMWQtNzNiMy00MzhhLTgzYzQt
NmZjMzQzZDc3Y2QyLzEvS05GaXZxX2N3UkJTNWFqSkxwVG53aVM2X2ZVLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9jNS84ZTEyMWQtNzNiMy00MzhhLTgzYzQtNmZjMzQzZDc3Y2Qy
LzEvdFBsalJkUHlMdHM1WFNSX2U0YlMxejVLQUpFLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMG0GCCsGAQUFBwEHAQH/BF4wXDBaBAIAAjBUAwUDKglTAAMF
ACoLowADBQMqDHRAAwUDKgx1QAMFAyoNg0ADBQMqDYjAAwUDKg8jgAMFAyoPVYAD
BQMqD3EAAwUDKg9zAAMFAyoPe4ADBQMqD6cAMA0GCSqGSIb3DQEBCwUAA4IBAQC3
+UxMkMJrmL/0ENfEoMK1wloXs8ZIR3bFijf94fSJZqdtnqdbVFa8g0GFqExwAxhn
Z4n5G26tyX8kbn0XsVx/FCgyyKCtKweIgXja7c7BO+xciAXHz8cbZM3CokJw5ooA
r5EliybxGvH6XXw0ABdaoJw20xRvrCx+eZDtlH43KC1mpW7h4HZbvMh3t4KHLU7D
rlKxo/AaJT6ddBXDROtj/yL3Y27Nq5V66eCgoaJhU20CYipsQo/nlT2XbcGO0xnC
w7kQAAygRTsvhLMjSmtlHeadhi4epQ+G8m9K8W6PFwRrf+FK7b33eUyhSRISn2DT
XT3pl32C6Ilj63b2JAS1
-----END CERTIFICATE-----