Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/0f/e8bbd2-1361-41a3-90f0-5334e6b8c5fe/1/FhAJYowLhC2lG3ssrT19-Qzk4IY.roa
File:                     FhAJYowLhC2lG3ssrT19-Qzk4IY.roa (raw, json)
Hash identifier:          fltVPnnNnGzZ7LztXTZs4VHk/1wPETPc5c/oSisbjZY=
Subject key identifier:   16:10:09:62:8C:0B:84:2D:A5:1B:7B:2C:AD:3D:7D:F9:0C:E4:E0:86
Certificate issuer:       /CN=b011022187e3395a1524fa1a7541ea793285afc2
Certificate serial:       0CBD87E9
Authority key identifier: B0:11:02:21:87:E3:39:5A:15:24:FA:1A:75:41:EA:79:32:85:AF:C2
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/sBECIYfjOVoVJPoadUHqeTKFr8I.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/0f/e8bbd2-1361-41a3-90f0-5334e6b8c5fe/1/FhAJYowLhC2lG3ssrT19-Qzk4IY.roa
Signing time:             Sat 01 Jan 2022 15:06:29 +0000
ROA not before:           Sat 01 Jan 2022 15:06:29 +0000
ROA not after:            Sat 01 Jul 2023 00:00:00 +0000
asID:                     39308
IP address blocks:        46.21.80.0/20 maxlen: 20
                          37.128.240.0/20 maxlen: 20
                          159.20.96.0/20 maxlen: 20
                          185.56.98.0/24 maxlen: 24
                          185.56.96.0/23 maxlen: 24
                          185.56.99.0/24 maxlen: 24
                          176.221.16.0/20 maxlen: 20
                          176.12.64.0/20 maxlen: 20
                          109.109.32.0/19 maxlen: 19
                          89.144.128.0/18 maxlen: 20
                          89.144.130.0/24 maxlen: 24
                          109.109.48.0/24 maxlen: 24
                          2a00:1570::/32 maxlen: 64

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 213747689 (0xcbd87e9)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=b011022187e3395a1524fa1a7541ea793285afc2
        Validity
            Not Before: Jan  1 15:06:29 2022 GMT
            Not After : Jul  1 00:00:00 2023 GMT
        Subject: CN=161009628c0b842da51b7b2cad3d7df90ce4e086
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c0:58:4e:70:03:7c:69:a3:84:b1:bf:99:d6:e2:
                    68:15:a0:cf:45:13:9f:4d:a7:f6:ac:9e:2a:e6:9a:
                    c2:8e:cc:1d:80:aa:d2:22:96:df:fd:e2:f0:2d:c6:
                    0b:81:c1:45:45:ab:72:23:3c:95:b6:a9:1d:e3:48:
                    08:8e:5a:3f:98:a4:3b:d1:d6:6a:10:d3:8e:eb:9e:
                    1b:29:85:f3:86:4a:8c:dd:91:47:95:ec:fe:9c:43:
                    b6:00:c2:2b:f5:2d:4e:8a:1f:0f:c9:01:e0:5f:60:
                    96:b7:d0:bc:75:84:e7:b0:86:d4:2a:da:71:60:ac:
                    ff:9e:95:84:ab:4e:df:69:4a:67:0b:5f:5a:98:ad:
                    33:70:21:2d:c4:75:b7:6d:fa:f7:e1:69:66:ba:64:
                    35:ec:a6:f4:7a:60:c7:aa:08:e9:60:dd:62:07:67:
                    c4:9f:40:63:c8:74:29:1a:2b:6b:ea:cf:06:25:75:
                    5c:1a:01:52:e0:f9:9a:c1:11:6d:e9:97:ac:c9:33:
                    4a:85:12:da:46:57:e2:32:92:cb:db:d2:8f:3b:1c:
                    68:7b:65:00:25:6d:41:bb:c5:02:17:dd:ba:19:c8:
                    41:4d:e8:4c:bf:5c:82:32:40:bf:48:ca:24:85:52:
                    ef:ef:a1:f3:5e:a8:c6:bf:a9:11:99:22:4d:36:9c:
                    10:d7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                16:10:09:62:8C:0B:84:2D:A5:1B:7B:2C:AD:3D:7D:F9:0C:E4:E0:86
            X509v3 Authority Key Identifier:
                keyid:B0:11:02:21:87:E3:39:5A:15:24:FA:1A:75:41:EA:79:32:85:AF:C2

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/sBECIYfjOVoVJPoadUHqeTKFr8I.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/0f/e8bbd2-1361-41a3-90f0-5334e6b8c5fe/1/FhAJYowLhC2lG3ssrT19-Qzk4IY.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/0f/e8bbd2-1361-41a3-90f0-5334e6b8c5fe/1/sBECIYfjOVoVJPoadUHqeTKFr8I.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  37.128.240.0/20
                  46.21.80.0/20
                  89.144.128.0/18
                  109.109.32.0/19
                  159.20.96.0/20
                  176.12.64.0/20
                  176.221.16.0/20
                  185.56.96.0/22
                IPv6:
                  2a00:1570::/32

    Signature Algorithm: sha256WithRSAEncryption
         13:60:13:6c:e9:91:9b:c6:59:d8:c4:54:2d:46:4d:f5:2f:cd:
         58:a5:ab:39:1d:e5:41:37:22:8c:ec:4f:e1:e8:a7:f9:d9:b2:
         ac:70:ef:2c:f3:de:e4:4d:04:74:be:a1:40:ae:e4:a9:bd:9d:
         68:33:e2:ff:8e:df:a2:c5:87:48:a3:62:22:d0:b0:6c:80:e9:
         d8:d4:f1:87:c6:0c:47:fc:1d:b9:e5:74:fc:31:f3:3a:db:db:
         bb:8d:96:5a:c1:af:32:1b:c2:83:79:a9:b4:54:f5:ce:a5:a4:
         3f:2d:71:04:07:6b:21:90:59:2c:ca:42:b4:a4:8e:ff:d4:7d:
         87:45:e5:01:a7:2a:60:c0:09:fc:51:56:03:6d:0d:dc:ea:d9:
         72:21:01:4a:8e:0e:9f:7f:b3:bb:83:be:c0:06:e3:95:56:c7:
         33:66:72:5b:9e:d3:13:1c:f0:9f:6e:87:23:5a:86:46:31:e1:
         ee:a0:24:c7:ae:5c:39:ae:fa:e7:c5:5b:92:79:ed:f3:9e:5a:
         5a:4e:6d:66:9f:c7:03:05:8c:be:e5:73:40:d8:ca:cd:80:24:
         bc:65:89:d2:98:60:3f:b0:6e:db:6d:7d:7f:6e:97:25:d1:5c:
         73:f1:80:6e:4e:90:67:76:4b:13:d8:05:3f:73:c1:8c:46:63:
         bf:b0:c6:20
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgIEDL2H6TANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhi
MDExMDIyMTg3ZTMzOTVhMTUyNGZhMWE3NTQxZWE3OTMyODVhZmMyMB4XDTIyMDEw
MTE1MDYyOVoXDTIzMDcwMTAwMDAwMFowMzExMC8GA1UEAxMoMTYxMDA5NjI4YzBi
ODQyZGE1MWI3YjJjYWQzZDdkZjkwY2U0ZTA4NjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMBYTnADfGmjhLG/mdbiaBWgz0UTn02n9qyeKuaawo7MHYCq
0iKW3/3i8C3GC4HBRUWrciM8lbapHeNICI5aP5ikO9HWahDTjuueGymF84ZKjN2R
R5Xs/pxDtgDCK/UtToofD8kB4F9glrfQvHWE57CG1CracWCs/56VhKtO32lKZwtf
WpitM3AhLcR1t2369+FpZrpkNeym9Hpgx6oI6WDdYgdnxJ9AY8h0KRora+rPBiV1
XBoBUuD5msERbemXrMkzSoUS2kZX4jKSy9vSjzscaHtlACVtQbvFAhfduhnIQU3o
TL9cgjJAv0jKJIVS7++h816oxr+pEZkiTTacENcCAwEAAaOCAkIwggI+MB0GA1Ud
DgQWBBQWEAlijAuELaUbeyytPX35DOTghjAfBgNVHSMEGDAWgBSwEQIhh+M5WhUk
+hp1Qep5MoWvwjAOBgNVHQ8BAf8EBAMCB4AwZAYIKwYBBQUHAQEEWDBWMFQGCCsG
AQUFBzAChkhyc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
L3NCRUNJWWZqT1ZvVkpQb2FkVUhxZVRLRnI4SS5jZXIwgY0GCCsGAQUFBwELBIGA
MH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5
L0RFRkFVTFQvMGYvZThiYmQyLTEzNjEtNDFhMy05MGYwLTUzMzRlNmI4YzVmZS8x
L0ZoQUpZb3dMaEMybEczc3NyVDE5LVF6azRJWS5yb2EwgYEGA1UdHwR6MHgwdqB0
oHKGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMGYv
ZThiYmQyLTEzNjEtNDFhMy05MGYwLTUzMzRlNmI4YzVmZS8xL3NCRUNJWWZqT1Zv
VkpQb2FkVUhxZVRLRnI4SS5jcmwwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBY
BggrBgEFBQcBBwEB/wRJMEcwNgQCAAEwMAMEBCWA8AMEBC4VUAMEBlmQgAMEBW1t
IAMEBJ8UYAMEBLAMQAMEBLDdEAMEArk4YDANBAIAAjAHAwUAKgAVcDANBgkqhkiG
9w0BAQsFAAOCAQEAE2ATbOmRm8ZZ2MRULUZN9S/NWKWrOR3lQTcijOxP4ein+dmy
rHDvLPPe5E0EdL6hQK7kqb2daDPi/47fosWHSKNiItCwbIDp2NTxh8YMR/wdueV0
/DHzOtvbu42WWsGvMhvCg3mptFT1zqWkPy1xBAdrIZBZLMpCtKSO/9R9h0XlAacq
YMAJ/FFWA20N3OrZciEBSo4On3+zu4O+wAbjlVbHM2ZyW57TExzwn26HI1qGRjHh
7qAkx65cOa7658Vbknnt855aWk5tZp/HAwWMvuVzQNjKzYAkvGWJ0phgP7Bu2219
f26XJdFcc/GAbk6QZ3ZLE9gFP3PBjEZjv7DGIA==
-----END CERTIFICATE-----