Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/Kx_oy3NRmGlQA2rAwGR3c4plEkE.roa
File:                     Kx_oy3NRmGlQA2rAwGR3c4plEkE.roa (raw, json)
Hash identifier:          QI6BLDz6gI0ChZF9iMn5kPi7pAacB+Op25RH7ArhtpY=
Subject key identifier:   2B:1F:E8:CB:73:51:98:69:50:03:6A:C0:C0:64:77:73:8A:65:12:41
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       018ADF875AB7BCF3174AA9FCC941D3C1063C
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/Kx_oy3NRmGlQA2rAwGR3c4plEkE.roa
Signing time:             Fri 29 Sep 2023 06:01:44 +0000
ROA not before:           Fri 29 Sep 2023 06:01:44 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     834
IP address blocks:        88.209.253.0/24 maxlen: 24
                          178.210.228.0/24 maxlen: 24
                          77.242.150.0/24 maxlen: 24
                          88.151.56.0/23 maxlen: 24
                          88.151.62.0/24 maxlen: 24
                          5.182.113.0/24 maxlen: 24
                          88.209.211.0/24 maxlen: 24
                          88.209.217.0/24 maxlen: 24
                          88.209.220.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8a:df:87:5a:b7:bc:f3:17:4a:a9:fc:c9:41:d3:c1:06:3c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: Sep 29 06:01:44 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=2b1fe8cb7351986950036ac0c06477738a651241
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a7:88:31:a9:91:17:11:df:e9:81:bd:5b:62:67:
                    c0:05:2f:65:8a:94:f1:75:3c:57:b8:f0:17:4d:b6:
                    3e:1b:b0:38:ce:b6:fe:d2:68:da:14:bc:4c:ca:52:
                    49:01:8f:eb:f5:b1:99:e6:cf:a0:a3:f2:bb:c2:64:
                    00:65:b0:b3:f3:8e:87:f8:e3:f0:36:59:94:6e:ae:
                    21:d1:e6:f7:1e:83:69:45:fc:05:0a:5a:42:9d:73:
                    0e:af:34:00:1e:a9:06:a0:0b:49:ba:a7:43:5e:e5:
                    7b:80:51:43:c8:06:e9:69:fa:7f:eb:b3:25:dd:44:
                    07:e5:ac:91:92:8e:2d:b0:85:df:80:7e:ac:e5:c7:
                    26:39:c6:6a:c4:4f:87:b9:94:79:3f:36:63:c5:1a:
                    d0:03:c6:24:c6:ea:7f:9f:9b:32:37:90:d7:4c:1a:
                    c3:03:0d:58:3f:32:3c:dc:54:42:f5:9a:47:a6:a0:
                    90:96:7a:26:45:ac:f4:6a:de:75:ea:b6:48:84:57:
                    bc:64:32:2d:9b:f3:42:25:57:c4:fb:a0:bc:74:9c:
                    b0:bd:25:af:0b:dc:be:15:b5:de:90:94:3c:0e:4a:
                    4e:e4:5f:6f:65:50:39:a2:cf:cd:ca:28:89:52:1e:
                    f8:9e:41:ad:44:15:13:04:d6:7d:1f:2c:aa:75:77:
                    4d:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                2B:1F:E8:CB:73:51:98:69:50:03:6A:C0:C0:64:77:73:8A:65:12:41
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/Kx_oy3NRmGlQA2rAwGR3c4plEkE.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  5.182.113.0/24
                  77.242.150.0/24
                  88.151.56.0/23
                  88.151.62.0/24
                  88.209.211.0/24
                  88.209.217.0/24
                  88.209.220.0/24
                  88.209.253.0/24
                  178.210.228.0/24

    Signature Algorithm: sha256WithRSAEncryption
         b5:d8:d0:1d:8b:40:b1:c1:3a:cf:f0:41:5c:fe:2b:1f:89:3b:
         71:e2:ee:ee:20:5f:d3:e8:ce:c7:ef:18:95:b0:5c:05:68:1b:
         c6:3d:b8:e4:d6:82:b4:53:dc:08:ec:4f:ac:fe:ef:06:22:b6:
         de:4b:ec:5a:ea:b3:0a:b7:81:50:50:b4:9c:63:1e:74:46:60:
         0c:4c:19:70:3a:e2:fb:b7:4c:6a:c5:ce:5f:88:8d:ef:54:5f:
         33:34:1c:10:a4:f6:99:03:52:8a:1b:43:92:84:78:e2:52:cd:
         60:14:bc:5f:a2:93:38:75:c9:b7:29:21:1a:56:4a:21:61:87:
         40:d0:19:35:62:0b:37:a6:13:a1:98:25:65:19:28:f0:91:36:
         e2:69:09:89:6a:8c:8c:08:eb:ff:8d:23:65:38:eb:95:a3:3c:
         5c:8e:48:0f:a3:d2:b3:a7:aa:9c:c8:23:c8:9e:29:7a:ca:19:
         56:be:2c:84:47:5d:01:8c:d0:f6:a5:13:93:fb:88:8f:47:96:
         70:f0:7e:2d:44:b5:00:6e:a2:37:eb:fe:dd:05:01:9e:99:fc:
         0b:1c:bd:e0:40:b6:5d:b9:12:90:c3:98:85:51:83:95:01:8b:
         73:3e:07:8d:2d:a7:24:04:ea:52:26:ee:a2:08:d9:a8:d5:f2:
         3f:b2:5b:05
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISAYrfh1q3vPMXSqn8yUHTwQY8MA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjMwOTI5MDYwMTQ0WhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygyYjFmZThjYjczNTE5ODY5NTAwMzZhYzBjMDY0Nzc3MzhhNjUxMjQxMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4gxqZEXEd/pgb1bYmfABS9lipTx
dTxXuPAXTbY+G7A4zrb+0mjaFLxMylJJAY/r9bGZ5s+go/K7wmQAZbCz846H+OPw
NlmUbq4h0eb3HoNpRfwFClpCnXMOrzQAHqkGoAtJuqdDXuV7gFFDyAbpafp/67Ml
3UQH5ayRko4tsIXfgH6s5ccmOcZqxE+HuZR5PzZjxRrQA8Ykxup/n5syN5DXTBrD
Aw1YPzI83FRC9ZpHpqCQlnomRaz0at516rZIhFe8ZDItm/NCJVfE+6C8dJywvSWv
C9y+FbXekJQ8DkpO5F9vZVA5os/NyiiJUh74nkGtRBUTBNZ9HyyqdXdNtwIDAQAB
o4ICOTCCAjUwHQYDVR0OBBYEFCsf6MtzUZhpUANqwMBkd3OKZRJBMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvS3hfb3kzTlJtR2xRQTJyQXdHUjNjNHBsRWtFLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CME8GCCsGAQUFBwEHAQH/BEAwPjA8BAIAATA2AwQABbZxAwQA
TfKWAwQBWJc4AwQAWJc+AwQAWNHTAwQAWNHZAwQAWNHcAwQAWNH9AwQAstLkMA0G
CSqGSIb3DQEBCwUAA4IBAQC12NAdi0CxwTrP8EFc/isfiTtx4u7uIF/T6M7H7xiV
sFwFaBvGPbjk1oK0U9wI7E+s/u8GIrbeS+xa6rMKt4FQULScYx50RmAMTBlwOuL7
t0xqxc5fiI3vVF8zNBwQpPaZA1KKG0OShHjiUs1gFLxfopM4dcm3KSEaVkohYYdA
0Bk1Ygs3phOhmCVlGSjwkTbiaQmJaoyMCOv/jSNlOOuVozxcjkgPo9Kzp6qcyCPI
nil6yhlWviyER10BjND2pROT+4iPR5Zw8H4tRLUAbqI36/7dBQGemfwLHL3gQLZd
uRKQw5iFUYOVAYtzPgeNLackBOpSJu6iCNmo1fI/slsF
-----END CERTIFICATE-----