Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/NTaa-PfuIJhSnpYxKfk5RRnyS5c.roa
File:                     NTaa-PfuIJhSnpYxKfk5RRnyS5c.roa (raw, json)
Hash identifier:          rdDjfDw7n/o5wjpRgL2AlewJ1SUn9aZKSb1mkSgMwfo=
Subject key identifier:   35:36:9A:F8:F7:EE:20:98:52:9E:96:31:29:F9:39:45:19:F2:4B:97
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       018CC3B6B70CB95B0D30FA886B6D5963A1B0
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/NTaa-PfuIJhSnpYxKfk5RRnyS5c.roa
Signing time:             Mon 01 Jan 2024 06:29:40 +0000
ROA not before:           Mon 01 Jan 2024 06:29:40 +0000
ROA not after:            Tue 01 Jul 2025 00:00:00 +0000
asID:                     5065
IP address blocks:        83.137.159.0/24 maxlen: 24
                          178.210.231.0/24 maxlen: 24
                          178.210.230.0/24 maxlen: 24
                          88.209.195.0/24 maxlen: 24
                          77.242.156.0/24 maxlen: 24
                          77.242.158.0/24 maxlen: 24
                          88.209.217.0/24 maxlen: 24
                          88.209.226.0/24 maxlen: 24
                          88.151.57.0/24 maxlen: 24
                          88.151.58.0/24 maxlen: 24
                          88.151.62.0/24 maxlen: 24
                          2.58.168.0/24 maxlen: 24
                          2.58.170.0/24 maxlen: 24
                          2.58.169.0/24 maxlen: 24
                          5.182.114.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8c:c3:b6:b7:0c:b9:5b:0d:30:fa:88:6b:6d:59:63:a1:b0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: Jan  1 06:29:40 2024 GMT
            Not After : Jul  1 00:00:00 2025 GMT
        Subject: CN=35369af8f7ee2098529e963129f9394519f24b97
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e7:87:3c:f2:3b:ce:ac:79:ae:37:24:06:b2:4d:
                    0a:8d:65:1b:9c:d2:5e:60:4d:bb:b9:22:91:84:97:
                    1f:88:d2:a5:a4:3f:5c:42:67:9a:a8:b5:b1:25:f7:
                    3d:be:95:a2:8d:6b:f2:ea:13:ab:a5:09:14:c5:b0:
                    7c:a6:1a:12:b0:25:29:ca:c1:a5:f4:5e:26:5c:1b:
                    77:ba:39:ff:d1:ed:ee:51:41:77:02:e1:40:2e:61:
                    48:2e:1c:93:83:96:f0:42:11:28:84:5d:3a:3e:2a:
                    7d:8b:1d:04:6e:ce:e0:ec:4f:e7:ae:6d:f0:a9:1a:
                    c1:06:de:88:a3:73:cc:a5:46:0c:90:ee:4d:11:3c:
                    bc:d4:0b:3b:eb:e7:19:3e:cc:61:da:c5:78:b4:f2:
                    52:5d:15:c4:f4:a5:60:26:33:4b:43:c9:11:ec:f3:
                    29:a7:2d:3f:80:2e:4d:cc:9f:f6:ce:f9:6a:82:43:
                    7a:44:3a:c8:2a:c1:38:cd:23:22:4b:c4:72:61:73:
                    3c:87:04:ed:60:af:b6:1c:d7:ec:ca:d6:73:f1:87:
                    99:6b:90:c2:86:91:e9:b9:15:63:15:a1:a8:82:77:
                    bd:af:fa:39:49:bb:5a:96:69:ea:15:ad:b5:de:fd:
                    e5:c2:0e:e5:56:79:fa:7f:20:dd:7d:4e:c9:15:ee:
                    cc:7b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                35:36:9A:F8:F7:EE:20:98:52:9E:96:31:29:F9:39:45:19:F2:4B:97
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/NTaa-PfuIJhSnpYxKfk5RRnyS5c.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  2.58.168.0-2.58.170.255
                  5.182.114.0/24
                  77.242.156.0/24
                  77.242.158.0/24
                  83.137.159.0/24
                  88.151.57.0-88.151.58.255
                  88.151.62.0/24
                  88.209.195.0/24
                  88.209.217.0/24
                  88.209.226.0/24
                  178.210.230.0/23

    Signature Algorithm: sha256WithRSAEncryption
         7e:17:8c:ce:16:75:09:1f:50:94:28:ff:50:d1:a3:ab:e2:e1:
         f0:ef:12:71:1a:59:3b:b8:a5:b6:77:e8:25:e0:25:07:e4:1c:
         e7:66:e7:94:e5:92:38:e4:3c:f2:64:39:6b:1f:82:19:36:d5:
         bf:78:57:1b:02:a3:e7:c7:0f:3c:cd:b8:8f:f6:a9:50:26:e1:
         f1:b7:8f:9f:72:ea:eb:41:a4:47:d0:a6:b5:2f:86:38:16:a2:
         29:a3:14:de:20:7f:9b:fe:f1:66:ba:2d:f8:df:90:40:57:ad:
         27:54:3e:d8:8a:c1:55:aa:c0:fc:bf:f9:6d:da:63:1a:82:75:
         33:d6:55:42:11:81:5e:3c:be:d7:2e:56:3f:d7:6c:8a:42:cc:
         de:25:41:f2:a5:b0:74:91:3a:ce:9e:b7:f0:32:96:97:bd:b0:
         60:4c:c0:7b:04:55:93:37:3d:35:2f:e1:33:3a:5a:af:ee:05:
         39:3c:41:40:18:8f:60:f7:5d:d4:a6:76:c1:95:b7:1e:b1:88:
         20:8d:e5:38:88:92:5f:c3:3e:ce:ad:e5:5f:79:11:17:2d:c6:
         9f:7a:2a:15:0a:1f:bc:98:92:8e:e4:da:5b:9d:26:07:a6:9f:
         9c:27:0d:16:54:a1:5d:cf:df:9a:aa:41:18:bd:50:bf:aa:66:
         45:f7:b2:fa
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgISAYzDtrcMuVsNMPqIa21ZY6GwMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjQwMTAxMDYyOTQwWhcNMjUwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygzNTM2OWFmOGY3ZWUyMDk4NTI5ZTk2MzEyOWY5Mzk0NTE5ZjI0Yjk3MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54c88jvOrHmuNyQGsk0KjWUbnNJe
YE27uSKRhJcfiNKlpD9cQmeaqLWxJfc9vpWijWvy6hOrpQkUxbB8phoSsCUpysGl
9F4mXBt3ujn/0e3uUUF3AuFALmFILhyTg5bwQhEohF06Pip9ix0Ebs7g7E/nrm3w
qRrBBt6Io3PMpUYMkO5NETy81As76+cZPsxh2sV4tPJSXRXE9KVgJjNLQ8kR7PMp
py0/gC5NzJ/2zvlqgkN6RDrIKsE4zSMiS8RyYXM8hwTtYK+2HNfsytZz8YeZa5DC
hpHpuRVjFaGogne9r/o5SbtalmnqFa213v3lwg7lVnn6fyDdfU7JFe7MewIDAQAB
o4ICVTCCAlEwHQYDVR0OBBYEFDU2mvj37iCYUp6WMSn5OUUZ8kuXMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvTlRhYS1QZnVJSmhTbnBZeEtmazVSUm55UzVjLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMGsGCCsGAQUFBwEHAQH/BFwwWjBYBAIAATBSMAwDBAMCOqgD
BAACOqoDBAAFtnIDBABN8pwDBABN8p4DBABTiZ8wDAMEAFiXOQMEAFiXOgMEAFiX
PgMEAFjRwwMEAFjR2QMEAFjR4gMEAbLS5jANBgkqhkiG9w0BAQsFAAOCAQEAfheM
zhZ1CR9QlCj/UNGjq+Lh8O8ScRpZO7iltnfoJeAlB+Qc52bnlOWSOOQ88mQ5ax+C
GTbVv3hXGwKj58cPPM24j/apUCbh8bePn3Lq60GkR9CmtS+GOBaiKaMU3iB/m/7x
Zrot+N+QQFetJ1Q+2IrBVarA/L/5bdpjGoJ1M9ZVQhGBXjy+1y5WP9dsikLM3iVB
8qWwdJE6zp638DKWl72wYEzAewRVkzc9NS/hMzpar+4FOTxBQBiPYPdd1KZ2wZW3
HrGIII3lOIiSX8M+zq3lX3kRFy3Gn3oqFQofvJiSjuTaW50mB6afnCcNFlShXc/f
mqpBGL1Qv6pmRfey+g==
-----END CERTIFICATE-----