In enterprise environments using Microsoft Active Directory Certificate Services (ADCS), it is common for Certification Authorities (CAs) to be renewed with new key pairs.
During this process, ADCS appends a numeric suffix in parentheses to the CA name (e.g., MyCA (1)), which is then reflected in the CDP and AIA URLs embedded in issued certificates.
While these URLs are technically valid per RFC 3986, Java's URL parsing and certificate validation mechanisms often fail to retrieve CRLs or AIA information when such parentheses are present in the path.
This results in certificate validation failures in Java-based applications, despite the certificates and CRLs being correctly published and accessible.

Some recommendations on improving this behaviour:
1. Properly handle parentheses in URLs used for CRL and AIA retrieval, either by supporting them directly or by automatically percent-encoding them.
2. Align with RFC 3986-compliant URI parsing to improve interoperability with widely used PKI infrastructures such as Microsoft ADCS.

This enhancement would significantly improve Java's compatibility with enterprise PKI environments and reduce the need for workarounds such as manual URL rewriting or CA renaming.