Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/m02lrLnAyx5rOYALU7ZJn4vptpw.roa
File:                     m02lrLnAyx5rOYALU7ZJn4vptpw.roa (raw, json)
Hash identifier:          AC8fmO6OudqpYrhkVdIix/ZZOxg/yjj6ESid1y5RB40=
Subject key identifier:   9B:4D:A5:AC:B9:C0:CB:1E:6B:39:80:0B:53:B6:49:9F:8B:E9:B6:9C
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       0187A456C84993D40825F10A0D8845956C01
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/m02lrLnAyx5rOYALU7ZJn4vptpw.roa
Signing time:             Fri 21 Apr 2023 15:02:43 +0000
ROA not before:           Fri 21 Apr 2023 15:02:43 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     834
IP address blocks:        88.209.248.0/24 maxlen: 24
                          88.209.249.0/24 maxlen: 24
                          178.210.236.0/24 maxlen: 24
                          88.151.56.0/24 maxlen: 24
                          88.209.198.0/24 maxlen: 24
                          88.209.209.0/24 maxlen: 24
                          5.182.113.0/24 maxlen: 24
                          88.209.216.0/24 maxlen: 24
                          88.209.225.0/24 maxlen: 24
                          88.209.221.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:87:a4:56:c8:49:93:d4:08:25:f1:0a:0d:88:45:95:6c:01
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: Apr 21 15:02:43 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=9b4da5acb9c0cb1e6b39800b53b6499f8be9b69c
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:af:e9:f4:2d:c7:e4:2b:53:17:a0:cf:a0:4d:e1:
                    15:92:13:75:5f:fb:4f:ea:2e:67:65:07:39:11:b2:
                    0e:67:52:bc:9e:93:ef:27:6f:f4:5c:e9:fa:23:cc:
                    c3:3d:16:be:b4:4a:01:46:79:28:ae:af:6d:91:fd:
                    c2:0c:54:45:d4:1c:32:c1:b8:4a:30:a8:09:1e:d4:
                    61:50:80:5b:71:94:f1:ef:d3:78:29:f0:f6:be:83:
                    e0:4e:a0:84:94:39:3b:f7:49:28:2e:66:61:bd:52:
                    65:c5:23:98:c1:b2:98:bb:c5:0b:c7:92:ec:7a:e4:
                    7e:db:63:dc:c2:43:0f:20:bf:a2:91:42:66:6d:4d:
                    5c:62:d7:f7:2a:65:7d:00:73:47:1d:cc:e3:43:38:
                    00:ac:ab:af:ad:9a:b0:d9:a0:86:b1:5a:4c:4a:bc:
                    be:20:13:66:44:3c:da:e4:ce:07:ad:b9:e9:05:4c:
                    64:3c:7d:e4:fa:c5:b7:47:19:8c:65:1d:c8:74:41:
                    a4:94:98:ba:27:a4:1b:6a:13:89:e1:c9:79:34:83:
                    5e:cd:38:4d:ff:0b:8c:68:18:c1:cf:f7:77:20:00:
                    07:4f:16:b8:23:7e:3c:a4:2d:b8:98:b4:77:4d:0f:
                    ff:2e:75:f9:45:6d:82:6d:21:13:49:3c:af:9d:98:
                    0a:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9B:4D:A5:AC:B9:C0:CB:1E:6B:39:80:0B:53:B6:49:9F:8B:E9:B6:9C
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/m02lrLnAyx5rOYALU7ZJn4vptpw.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  5.182.113.0/24
                  88.151.56.0/24
                  88.209.198.0/24
                  88.209.209.0/24
                  88.209.216.0/24
                  88.209.221.0/24
                  88.209.225.0/24
                  88.209.248.0/23
                  178.210.236.0/24

    Signature Algorithm: sha256WithRSAEncryption
         64:e8:33:e5:8f:93:c1:63:ec:a6:2b:c4:92:5a:72:35:36:aa:
         19:67:87:89:28:93:90:dd:ba:25:39:c3:21:f3:fb:f6:a0:d8:
         d3:f7:53:36:38:02:8a:6b:b1:3a:09:7e:f9:40:41:9f:d6:1a:
         48:43:e9:0a:85:fa:01:4f:ee:21:2e:d6:11:c9:1a:a5:7e:bc:
         ed:cd:e1:86:67:04:3b:aa:63:55:fb:ff:c1:62:ec:5e:e7:81:
         dc:bb:93:ff:8c:95:37:16:3f:c0:99:50:46:c2:31:69:03:db:
         7a:65:de:56:61:07:36:fb:62:4f:a5:1b:0f:de:14:9b:aa:bb:
         50:41:67:4d:80:37:8b:62:b7:50:19:e5:0f:83:07:84:c7:5c:
         52:e2:b5:f2:46:f7:03:93:94:51:58:1f:50:ab:72:b3:87:c7:
         9d:a1:92:7b:27:dd:c1:3c:f8:d8:5e:69:46:0a:b9:2b:73:09:
         c0:14:64:c5:09:6b:6d:19:1c:62:71:69:db:68:03:2d:9c:3d:
         ef:73:10:23:7b:e4:2f:83:61:e4:34:2c:b1:54:a3:46:4e:24:
         92:cf:d3:c8:98:dc:f2:04:c3:57:77:78:72:9a:ef:b1:1a:43:
         9e:db:c8:90:bb:58:9a:7a:63:95:d1:69:6e:5d:78:d3:68:d0:
         bf:3a:80:92
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISAYekVshJk9QIJfEKDYhFlWwBMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjMwNDIxMTUwMjQzWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
Eyg5YjRkYTVhY2I5YzBjYjFlNmIzOTgwMGI1M2I2NDk5ZjhiZTliNjljMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr+n0LcfkK1MXoM+gTeEVkhN1X/tP
6i5nZQc5EbIOZ1K8npPvJ2/0XOn6I8zDPRa+tEoBRnkorq9tkf3CDFRF1BwywbhK
MKgJHtRhUIBbcZTx79N4KfD2voPgTqCElDk790koLmZhvVJlxSOYwbKYu8ULx5Ls
euR+22PcwkMPIL+ikUJmbU1cYtf3KmV9AHNHHczjQzgArKuvrZqw2aCGsVpMSry+
IBNmRDza5M4HrbnpBUxkPH3k+sW3RxmMZR3IdEGklJi6J6QbahOJ4cl5NINezThN
/wuMaBjBz/d3IAAHTxa4I348pC24mLR3TQ//LnX5RW2CbSETSTyvnZgK/wIDAQAB
o4ICOTCCAjUwHQYDVR0OBBYEFJtNpay5wMseazmAC1O2SZ+L6bacMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvbTAybHJMbkF5eDVyT1lBTFU3WkpuNHZwdHB3LnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CME8GCCsGAQUFBwEHAQH/BEAwPjA8BAIAATA2AwQABbZxAwQA
WJc4AwQAWNHGAwQAWNHRAwQAWNHYAwQAWNHdAwQAWNHhAwQBWNH4AwQAstLsMA0G
CSqGSIb3DQEBCwUAA4IBAQBk6DPlj5PBY+ymK8SSWnI1NqoZZ4eJKJOQ3bolOcMh
8/v2oNjT91M2OAKKa7E6CX75QEGf1hpIQ+kKhfoBT+4hLtYRyRqlfrztzeGGZwQ7
qmNV+//BYuxe54Hcu5P/jJU3Fj/AmVBGwjFpA9t6Zd5WYQc2+2JPpRsP3hSbqrtQ
QWdNgDeLYrdQGeUPgweEx1xS4rXyRvcDk5RRWB9Qq3Kzh8edoZJ7J93BPPjYXmlG
CrkrcwnAFGTFCWttGRxicWnbaAMtnD3vcxAje+Qvg2HkNCyxVKNGTiSSz9PImNzy
BMNXd3hymu+xGkOe28iQu1iaemOV0WluXXjTaNC/OoCS
-----END CERTIFICATE-----