SAN certificate with URI fragment

I need to generate a TLS certificate with a SAN URI where the URI has a fragment (has a hash '#'). But when I try to generate a certificate using openssl, the fragment gets stripped.

# generate key and CSR for client certificate
openssl req -nodes -new -keyout me.key -out me.csr -subj "/O=Acme/CN=me"

# sign cert
openssl x509 -req -in me.csr -CA My-CA.crt -CAkey My-CA.key -set_serial 01 -out me.crt -extfile <(echo 'subjectAltName=URI:https://my.example/profile#me')

# verify result
openssl x509 -text -noout -in me.crt
#         X509v3 extensions:
#             X509v3 Subject Alternative Name:
#                 URI:https://my.example/profile

I've tried a few different ways of escaping the value, but nothing seems to work as expected. I think the escapes may work for fields like Common Name, but don't work in the SAN section.

I'm open to openssl alternatives. But it would be helpful to see a proof-of-concept certificate I can use to verify that it works.

NOTE: This is essentially a requirement of WebID-TLS (https://www.w3.org/2005/Incubator/webid/spec/tls/#dfn-webid_certificate). While it's possible to use a URL without a fragment for WebID, it's not recommended and requires extra work. It definitely should be supported.

A hash sign in OpenSSL config is treated as the beginning of a comment, no matter if the config is given in a real file or by generating it on the fly. If you want to include it in the SAN you therefore need to escape or quote the hash in order to prevent treating it as start as comment. Quoted it looks like this:

... -extfile <(echo 'subjectAltName="URI:https://my.example/profile#me"')

or escaped:

... -extfile <(echo 'subjectAltName=URI:https://my.example/profile\#me')

You could use a config file instead to define the SAN:

subjectAltName = @alt_names

[alt_names]
URI.1 = http://example.test/some\#thing