Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/w2c9-S9tslYZyHRloINuXxkRrEQ.roa
File:                     w2c9-S9tslYZyHRloINuXxkRrEQ.roa (raw, json)
Hash identifier:          iSrEdv+Gn3EX9RptBM9geXLS9FVEB5XbG5GkmPEJ4VY=
Subject key identifier:   C3:67:3D:F9:2F:6D:B2:56:19:C8:74:65:A0:83:6E:5F:19:11:AC:44
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       018BD8BD88B120472A05481C578F75EE284A
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/w2c9-S9tslYZyHRloINuXxkRrEQ.roa
Signing time:             Thu 16 Nov 2023 15:26:21 +0000
ROA not before:           Thu 16 Nov 2023 15:26:21 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     5065
IP address blocks:        83.137.159.0/24 maxlen: 24
                          178.210.231.0/24 maxlen: 24
                          178.210.230.0/24 maxlen: 24
                          88.151.57.0/24 maxlen: 24
                          88.151.58.0/24 maxlen: 24
                          88.209.195.0/24 maxlen: 24
                          77.242.156.0/24 maxlen: 24
                          77.242.158.0/24 maxlen: 24
                          2.58.168.0/24 maxlen: 24
                          2.58.170.0/24 maxlen: 24
                          2.58.169.0/24 maxlen: 24
                          88.209.217.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8b:d8:bd:88:b1:20:47:2a:05:48:1c:57:8f:75:ee:28:4a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: Nov 16 15:26:21 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=c3673df92f6db25619c87465a0836e5f1911ac44
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ab:c2:fe:58:87:9a:a7:16:15:bb:e5:69:2e:de:
                    4f:b7:60:88:5d:3e:a3:7f:ad:f0:91:88:51:b1:41:
                    9a:42:a4:3e:7d:79:75:38:ee:1b:23:41:9d:30:a2:
                    34:bc:47:ec:40:e5:9f:36:ac:2f:04:08:3b:ca:d2:
                    ff:60:58:a6:40:3d:0b:86:ae:77:64:76:91:03:c5:
                    92:71:5d:22:4e:75:30:58:2d:9b:83:54:22:a6:b5:
                    3d:85:1c:ea:84:17:4b:95:2b:1b:4b:12:b7:c5:3a:
                    db:89:65:b3:a0:23:89:56:3a:c7:2a:3d:ce:e8:e0:
                    62:63:b5:e3:4e:96:ea:7b:7b:da:63:34:04:fd:56:
                    62:27:2d:e2:0b:1a:ea:9a:fb:6d:4f:cb:5b:af:56:
                    5a:4e:4c:a3:81:75:a2:b5:48:7b:41:fc:9c:cd:6c:
                    46:16:91:74:4e:4e:e6:f4:85:5f:b0:30:ec:23:84:
                    1e:f1:01:d3:1f:d2:54:d4:22:71:63:23:7f:58:b3:
                    42:cf:ca:c1:31:57:70:4d:41:68:80:86:d7:ed:4c:
                    d8:93:ae:5f:25:b2:10:0f:a9:61:86:00:48:57:28:
                    d4:d6:49:2e:37:56:33:f7:bf:c9:ca:d5:ce:c0:d6:
                    62:42:2e:8a:bc:75:f9:3d:d2:c7:a6:31:be:e0:9a:
                    c7:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C3:67:3D:F9:2F:6D:B2:56:19:C8:74:65:A0:83:6E:5F:19:11:AC:44
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/w2c9-S9tslYZyHRloINuXxkRrEQ.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  2.58.168.0-2.58.170.255
                  77.242.156.0/24
                  77.242.158.0/24
                  83.137.159.0/24
                  88.151.57.0-88.151.58.255
                  88.209.195.0/24
                  88.209.217.0/24
                  178.210.230.0/23

    Signature Algorithm: sha256WithRSAEncryption
         a3:9e:ef:32:2b:5d:c8:34:e2:dc:c0:87:3e:71:8c:1f:df:96:
         42:a6:37:64:80:58:04:32:8b:69:54:a9:a4:80:ce:49:82:3d:
         54:2f:0f:57:be:4f:88:f7:cf:08:9e:9a:cf:18:0c:6e:1a:ee:
         bf:9d:5f:de:93:b7:ef:d5:e5:13:67:82:91:6d:d5:5d:84:cb:
         cc:ef:21:1e:1a:43:e8:2a:f6:c4:2e:b1:86:01:b0:07:d9:b7:
         63:7e:84:76:96:d1:b3:8b:19:38:04:43:7d:a2:01:7e:91:d7:
         ec:f4:af:5e:fa:1e:84:ea:0a:20:c2:fe:26:22:e5:9e:01:47:
         f1:90:c3:2f:ee:1c:4c:7f:93:b9:d3:8d:e3:d8:59:e0:9d:be:
         d0:0d:79:9d:79:5b:4b:20:ec:bb:cd:b3:cc:8e:8f:9d:92:a2:
         a0:b8:25:27:ed:22:cc:ee:33:ac:82:28:fc:99:69:7a:bc:c8:
         a2:5b:82:d3:4b:65:75:8a:58:62:8e:57:a0:c8:d3:1c:87:96:
         88:4c:d4:17:c9:6d:15:2e:27:36:d8:e6:6a:85:9a:f4:5f:ca:
         df:13:d9:5e:42:80:70:c7:9e:a0:04:75:93:bb:4d:f0:53:68:
         de:d8:e3:af:6c:cb:67:a9:32:88:cb:17:72:11:f6:30:ad:22:
         23:24:e9:d5
-----BEGIN CERTIFICATE-----
MIIFNzCCBB+gAwIBAgISAYvYvYixIEcqBUgcV4917ihKMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjMxMTE2MTUyNjIxWhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EyhjMzY3M2RmOTJmNmRiMjU2MTljODc0NjVhMDgzNmU1ZjE5MTFhYzQ0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8L+WIeapxYVu+VpLt5Pt2CIXT6j
f63wkYhRsUGaQqQ+fXl1OO4bI0GdMKI0vEfsQOWfNqwvBAg7ytL/YFimQD0Lhq53
ZHaRA8WScV0iTnUwWC2bg1QiprU9hRzqhBdLlSsbSxK3xTrbiWWzoCOJVjrHKj3O
6OBiY7XjTpbqe3vaYzQE/VZiJy3iCxrqmvttT8tbr1ZaTkyjgXWitUh7QfyczWxG
FpF0Tk7m9IVfsDDsI4Qe8QHTH9JU1CJxYyN/WLNCz8rBMVdwTUFogIbX7UzYk65f
JbIQD6lhhgBIVyjU1kkuN1Yz97/JytXOwNZiQi6KvHX5PdLHpjG+4JrHzwIDAQAB
o4ICQzCCAj8wHQYDVR0OBBYEFMNnPfkvbbJWGch0ZaCDbl8ZEaxEMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvdzJjOS1TOXRzbFlaeUhSbG9JTnVYeGtSckVRLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMFkGCCsGAQUFBwEHAQH/BEowSDBGBAIAATBAMAwDBAMCOqgD
BAACOqoDBABN8pwDBABN8p4DBABTiZ8wDAMEAFiXOQMEAFiXOgMEAFjRwwMEAFjR
2QMEAbLS5jANBgkqhkiG9w0BAQsFAAOCAQEAo57vMitdyDTi3MCHPnGMH9+WQqY3
ZIBYBDKLaVSppIDOSYI9VC8PV75PiPfPCJ6azxgMbhruv51f3pO379XlE2eCkW3V
XYTLzO8hHhpD6Cr2xC6xhgGwB9m3Y36EdpbRs4sZOARDfaIBfpHX7PSvXvoehOoK
IML+JiLlngFH8ZDDL+4cTH+TudON49hZ4J2+0A15nXlbSyDsu82zzI6PnZKioLgl
J+0izO4zrIIo/JlperzIoluC00tldYpYYo5XoMjTHIeWiEzUF8ltFS4nNtjmaoWa
9F/K3xPZXkKAcMeeoAR1k7tN8FNo3tjjr2zLZ6kyiMsXchH2MK0iIyTp1Q==
-----END CERTIFICATE-----