Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/t_cOmLYwf7xsmTZRyweh2cAVxyI.roa
File:                     t_cOmLYwf7xsmTZRyweh2cAVxyI.roa (raw, json)
Hash identifier:          ztpEzZc8A5hqWM6DGycS+fSwtIvg/adHiBggohG1j9Y=
Subject key identifier:   B7:F7:0E:98:B6:30:7F:BC:6C:99:36:51:CB:07:A1:D9:C0:15:C7:22
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       018C6257204A5F83515358352040783B0BA3
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/t_cOmLYwf7xsmTZRyweh2cAVxyI.roa
Signing time:             Wed 13 Dec 2023 08:42:06 +0000
ROA not before:           Wed 13 Dec 2023 08:42:06 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     5065
IP address blocks:        83.137.159.0/24 maxlen: 24
                          178.210.231.0/24 maxlen: 24
                          178.210.230.0/24 maxlen: 24
                          88.209.195.0/24 maxlen: 24
                          77.242.156.0/24 maxlen: 24
                          77.242.158.0/24 maxlen: 24
                          88.209.217.0/24 maxlen: 24
                          88.209.226.0/24 maxlen: 24
                          88.151.57.0/24 maxlen: 24
                          88.151.58.0/24 maxlen: 24
                          88.151.62.0/24 maxlen: 24
                          2.58.168.0/24 maxlen: 24
                          2.58.170.0/24 maxlen: 24
                          2.58.169.0/24 maxlen: 24
                          5.182.114.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8c:62:57:20:4a:5f:83:51:53:58:35:20:40:78:3b:0b:a3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: Dec 13 08:42:06 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=b7f70e98b6307fbc6c993651cb07a1d9c015c722
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ad:67:9e:78:d1:18:f9:7d:2d:3d:9b:0a:c4:f4:
                    cd:77:9e:27:34:a1:34:a9:7f:3c:3d:8d:82:6e:42:
                    c5:22:64:a5:a6:fa:c1:fb:9c:2c:12:d6:77:ab:a8:
                    01:45:af:d9:e9:d0:cb:6a:2d:b1:6e:91:15:13:1a:
                    5c:11:e9:d5:46:27:96:c0:53:2f:81:4d:51:09:30:
                    de:c8:92:24:5f:2e:1f:9d:83:b1:2a:46:6a:ba:93:
                    6f:d9:d8:c1:b5:bf:97:77:85:17:07:93:03:5d:1c:
                    68:69:aa:ef:6e:fc:de:58:24:ec:9f:65:0b:1a:8b:
                    ed:a8:15:7c:56:2a:8a:79:05:6e:74:c4:70:60:bf:
                    cc:d6:69:fc:45:f3:c3:c7:19:b2:6d:b0:a2:1c:85:
                    cb:9f:d0:14:5b:fa:24:db:dc:3a:be:4d:36:2d:f0:
                    19:78:52:ad:a5:a6:30:d2:4a:e5:90:8a:13:c6:b5:
                    44:39:28:a6:18:1b:f7:3f:b8:b7:8e:b2:76:1f:d4:
                    ce:3c:49:92:af:36:da:fd:d2:4a:3b:05:9b:46:4d:
                    95:40:b6:60:c7:78:fb:f3:43:2a:6e:54:ac:0d:d6:
                    7f:cd:99:8a:2f:f5:a7:f9:62:5d:9b:e4:4d:85:ec:
                    aa:c7:ff:e4:8a:1b:37:bb:3f:1e:45:d2:aa:6d:66:
                    4f:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B7:F7:0E:98:B6:30:7F:BC:6C:99:36:51:CB:07:A1:D9:C0:15:C7:22
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/t_cOmLYwf7xsmTZRyweh2cAVxyI.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  2.58.168.0-2.58.170.255
                  5.182.114.0/24
                  77.242.156.0/24
                  77.242.158.0/24
                  83.137.159.0/24
                  88.151.57.0-88.151.58.255
                  88.151.62.0/24
                  88.209.195.0/24
                  88.209.217.0/24
                  88.209.226.0/24
                  178.210.230.0/23

    Signature Algorithm: sha256WithRSAEncryption
         57:ee:8f:27:0f:15:3c:57:7f:ed:7d:20:4f:7a:39:f2:11:fe:
         ac:00:ba:5a:8c:d6:66:a8:9b:28:ac:cd:fa:c2:1d:b6:e0:a5:
         98:9c:17:f7:3e:30:cc:75:55:5c:96:20:6f:90:2a:88:4f:d2:
         54:03:28:d9:ee:d0:45:9a:50:6d:2a:49:94:1e:30:99:42:50:
         5b:9b:cc:e8:9f:2b:54:a3:20:df:af:59:7a:ae:5d:03:39:5b:
         24:09:58:97:cc:a3:53:65:07:d9:ca:ac:f5:6c:c7:ee:3d:41:
         9c:f8:8f:96:d8:58:44:75:d5:ba:ae:a7:b3:8c:3f:0e:65:db:
         10:0a:c7:7f:18:d6:7d:48:6a:04:35:a5:26:0a:5d:28:9e:64:
         fb:15:d4:36:c4:2c:88:4b:a5:44:40:70:2f:d5:59:dc:1d:c6:
         f0:3f:92:21:86:e3:21:5d:24:ac:6e:28:c4:f3:37:d7:07:f5:
         bf:44:cc:78:d0:6c:a4:40:f1:b1:17:0f:94:d0:8d:54:79:cb:
         56:58:df:2b:e4:79:20:d9:7f:fa:20:3e:56:c3:a2:1d:38:14:
         03:ed:92:0d:f6:b6:2f:b3:fa:f5:39:b4:56:de:09:77:ed:8f:
         27:f3:4f:62:ae:2e:42:6f:ca:26:75:f8:c7:4a:41:f0:5d:77:
         f1:f7:4c:a0
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgISAYxiVyBKX4NRU1g1IEB4OwujMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjMxMjEzMDg0MjA2WhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EyhiN2Y3MGU5OGI2MzA3ZmJjNmM5OTM2NTFjYjA3YTFkOWMwMTVjNzIyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWeeeNEY+X0tPZsKxPTNd54nNKE0
qX88PY2CbkLFImSlpvrB+5wsEtZ3q6gBRa/Z6dDLai2xbpEVExpcEenVRieWwFMv
gU1RCTDeyJIkXy4fnYOxKkZqupNv2djBtb+Xd4UXB5MDXRxoaarvbvzeWCTsn2UL
GovtqBV8ViqKeQVudMRwYL/M1mn8RfPDxxmybbCiHIXLn9AUW/ok29w6vk02LfAZ
eFKtpaYw0krlkIoTxrVEOSimGBv3P7i3jrJ2H9TOPEmSrzba/dJKOwWbRk2VQLZg
x3j780MqblSsDdZ/zZmKL/Wn+WJdm+RNheyqx//kihs3uz8eRdKqbWZP4wIDAQAB
o4ICVTCCAlEwHQYDVR0OBBYEFLf3Dpi2MH+8bJk2UcsHodnAFcciMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvdF9jT21MWXdmN3hzbVRaUnl3ZWgyY0FWeHlJLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMGsGCCsGAQUFBwEHAQH/BFwwWjBYBAIAATBSMAwDBAMCOqgD
BAACOqoDBAAFtnIDBABN8pwDBABN8p4DBABTiZ8wDAMEAFiXOQMEAFiXOgMEAFiX
PgMEAFjRwwMEAFjR2QMEAFjR4gMEAbLS5jANBgkqhkiG9w0BAQsFAAOCAQEAV+6P
Jw8VPFd/7X0gT3o58hH+rAC6WozWZqibKKzN+sIdtuClmJwX9z4wzHVVXJYgb5Aq
iE/SVAMo2e7QRZpQbSpJlB4wmUJQW5vM6J8rVKMg369Zeq5dAzlbJAlYl8yjU2UH
2cqs9WzH7j1BnPiPlthYRHXVuq6ns4w/DmXbEArHfxjWfUhqBDWlJgpdKJ5k+xXU
NsQsiEulREBwL9VZ3B3G8D+SIYbjIV0krG4oxPM31wf1v0TMeNBspEDxsRcPlNCN
VHnLVljfK+R5INl/+iA+VsOiHTgUA+2SDfa2L7P69Tm0Vt4Jd+2PJ/NPYq4uQm/K
JnX4x0pB8F138fdMoA==
-----END CERTIFICATE-----