Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/OThRDZgRi3GoCbm45YH76ZPxfaU.roa
File:                     OThRDZgRi3GoCbm45YH76ZPxfaU.roa (raw, json)
Hash identifier:          H9oAlxinRGkEHXFP4R5EVv/P3p6HjAUBgpv+F1PEA+8=
Subject key identifier:   39:38:51:0D:98:11:8B:71:A8:09:B9:B8:E5:81:FB:E9:93:F1:7D:A5
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       018871EB64A1B49DF2D2847F903AD667F413
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/OThRDZgRi3GoCbm45YH76ZPxfaU.roa
Signing time:             Wed 31 May 2023 13:07:12 +0000
ROA not before:           Wed 31 May 2023 13:07:12 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     61317
IP address blocks:        88.209.244.0/24 maxlen: 24
                          178.210.236.0/24 maxlen: 24
                          88.209.192.0/24 maxlen: 24
                          88.209.194.0/24 maxlen: 24
                          88.151.59.0/24 maxlen: 24
                          88.151.61.0/24 maxlen: 24
                          88.209.207.0/24 maxlen: 24
                          88.209.209.0/24 maxlen: 24
                          88.209.221.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:88:71:eb:64:a1:b4:9d:f2:d2:84:7f:90:3a:d6:67:f4:13
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: May 31 13:07:12 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=3938510d98118b71a809b9b8e581fbe993f17da5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:e4:c2:88:02:28:f4:81:a5:22:c4:f7:f2:da:
                    70:60:db:a4:62:7b:8b:b4:f8:b7:8c:31:93:4e:4b:
                    49:9f:1b:cb:e1:fe:1a:95:ff:5d:65:37:6f:06:e1:
                    0d:2b:d6:15:3d:96:71:5b:6e:33:c8:4a:de:a0:e7:
                    17:22:01:ff:27:e6:c0:e5:e9:7a:de:c5:5e:04:9d:
                    d1:b6:d6:1a:8c:e3:74:f1:0d:93:6e:84:6a:a6:28:
                    44:64:ca:60:77:e3:1b:c9:11:20:8c:1a:89:3c:b5:
                    25:58:16:c0:c4:ae:e1:59:9f:62:28:46:88:52:7e:
                    9c:df:4b:04:73:22:26:c8:1a:30:7e:0a:71:5a:27:
                    9c:75:27:d9:36:90:3d:15:e5:17:3c:5f:be:81:7b:
                    28:84:8a:46:bc:2c:75:0f:60:2d:bc:16:8f:3c:4c:
                    7f:8c:a8:a9:03:e5:58:56:cb:85:15:55:5c:7a:3c:
                    6e:4d:1e:e6:1e:1b:21:81:0c:8d:41:c7:24:65:ee:
                    7c:d8:36:8e:16:cc:c7:e9:04:c6:88:92:a0:18:06:
                    92:b2:c8:8c:1b:b1:13:a8:f0:b0:12:a6:71:d5:74:
                    3b:75:e6:25:e2:9b:b0:56:fa:aa:61:b3:3c:d4:5e:
                    da:7e:bb:83:18:8f:14:c7:c4:f3:ea:74:d6:4a:0c:
                    0c:83
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                39:38:51:0D:98:11:8B:71:A8:09:B9:B8:E5:81:FB:E9:93:F1:7D:A5
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/OThRDZgRi3GoCbm45YH76ZPxfaU.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  88.151.59.0/24
                  88.151.61.0/24
                  88.209.192.0/24
                  88.209.194.0/24
                  88.209.207.0/24
                  88.209.209.0/24
                  88.209.221.0/24
                  88.209.244.0/24
                  178.210.236.0/24

    Signature Algorithm: sha256WithRSAEncryption
         7f:be:a7:74:a6:25:90:e5:48:f2:28:4b:08:4e:a7:69:80:b0:
         c7:52:31:a9:79:10:58:75:bf:66:02:c3:71:15:4d:1e:63:16:
         25:61:67:30:b4:01:5e:18:d5:fb:77:16:a9:5b:0f:ae:9d:d7:
         ee:c8:32:01:37:dc:37:93:43:05:ec:75:ba:34:9b:f1:64:0b:
         53:66:8e:a0:42:b2:e7:04:c9:4a:5f:2c:dc:3d:57:4b:5a:b6:
         5b:d4:33:5e:e1:88:c5:46:0e:05:1f:8c:5c:25:ed:97:27:51:
         29:8d:06:00:4e:0e:dd:78:9b:34:ff:6b:59:01:4f:01:a6:0f:
         a0:d8:fa:7b:8d:91:2b:a0:ad:55:4f:fe:c5:55:7a:25:e7:9b:
         27:ff:ed:57:f0:55:c7:94:03:ee:ba:d9:7c:fb:c6:8f:90:73:
         95:a1:7f:f3:3c:09:e1:8d:f8:7f:2b:94:77:98:5b:86:41:74:
         27:3d:f4:e3:0e:c6:ad:1f:bb:06:bf:c6:0e:11:0d:71:1a:b9:
         ff:8c:c8:9d:e5:79:7e:06:c1:ea:06:ea:d0:91:b3:5c:4b:13:
         78:1c:76:12:71:71:a5:23:83:3a:b5:db:c8:d0:6f:26:86:34:
         74:4e:6d:41:72:c4:74:d7:48:44:8f:00:6b:8d:53:7b:ea:52:
         db:be:51:d9
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISAYhx62ShtJ3y0oR/kDrWZ/QTMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjMwNTMxMTMwNzEyWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygzOTM4NTEwZDk4MTE4YjcxYTgwOWI5YjhlNTgxZmJlOTkzZjE3ZGE1MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsuTCiAIo9IGlIsT38tpwYNukYnuL
tPi3jDGTTktJnxvL4f4alf9dZTdvBuENK9YVPZZxW24zyEreoOcXIgH/J+bA5el6
3sVeBJ3RttYajON08Q2TboRqpihEZMpgd+MbyREgjBqJPLUlWBbAxK7hWZ9iKEaI
Un6c30sEcyImyBowfgpxWiecdSfZNpA9FeUXPF++gXsohIpGvCx1D2AtvBaPPEx/
jKipA+VYVsuFFVVcejxuTR7mHhshgQyNQcckZe582DaOFszH6QTGiJKgGAaSssiM
G7ETqPCwEqZx1XQ7deYl4puwVvqqYbM81F7afruDGI8Ux8Tz6nTWSgwMgwIDAQAB
o4ICOTCCAjUwHQYDVR0OBBYEFDk4UQ2YEYtxqAm5uOWB++mT8X2lMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvT1RoUkRaZ1JpM0dvQ2JtNDVZSDc2WlB4ZmFVLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CME8GCCsGAQUFBwEHAQH/BEAwPjA8BAIAATA2AwQAWJc7AwQA
WJc9AwQAWNHAAwQAWNHCAwQAWNHPAwQAWNHRAwQAWNHdAwQAWNH0AwQAstLsMA0G
CSqGSIb3DQEBCwUAA4IBAQB/vqd0piWQ5UjyKEsITqdpgLDHUjGpeRBYdb9mAsNx
FU0eYxYlYWcwtAFeGNX7dxapWw+undfuyDIBN9w3k0MF7HW6NJvxZAtTZo6gQrLn
BMlKXyzcPVdLWrZb1DNe4YjFRg4FH4xcJe2XJ1EpjQYATg7deJs0/2tZAU8Bpg+g
2Pp7jZEroK1VT/7FVXol55sn/+1X8FXHlAPuutl8+8aPkHOVoX/zPAnhjfh/K5R3
mFuGQXQnPfTjDsatH7sGv8YOEQ1xGrn/jMid5Xl+BsHqBurQkbNcSxN4HHYScXGl
I4M6tdvI0G8mhjR0Tm1BcsR010hEjwBrjVN76lLbvlHZ
-----END CERTIFICATE-----