We are running EJBCA 188.8.131.52 community edition which has BC "under the hood". We have run in to an issue with certificates with SANs. Specifically, we have a requirement to include an AMQP URI as a SAN in a family of certificates. The URI format includes a "+" symbol in the URI so the URI looks something like this:
This is a valid URI. Unfortunately, during the certification creation process, it appears that the "+" sign is getting escaped by EJBCA. We removed the escape function in EJBCA, but now the "plus" as well as all following text gets removed. It appears that the "+" gets caught up in tokenization, but how is unclear.
So after EJBCA escapes it, the SAN looks like: amqp://end.entity\+1234
And if we remove the escape, the SAN looks like: amqp://end.entity
Can anybody tell me if BouncyCastle removes "+" from a SAN string and if so, where does that occur? We need to let the "plus" go through untampered. The version EJBCA runs is 1.51 (Java).