在 JBoss EAP (WildFly) 環境中,處理 HTTPS 憑證的「正確做法」應分為兩個層次:**伺服器端(JBoss 本身)**與 客戶端(你的 Spring Boot App)。
既然你正朝向規劃「私有 CA」的方向前進,以下是企業級環境中最標準的實作流程:
1. 伺服器端:在 JBoss 上安裝憑證
要讓 JBoss 服務正確跑在 HTTPS 上,不能只靠程式碼,必須在 JBoss 的硬體層級配置 KeyStore。
步驟 A:產生私鑰與證書請求 (CSR)
在 JBoss 伺服器上執行,產生一個代表這台伺服器的身份檔案:
Bash
keytool -genkeypair -alias jboss_server -keyalg RSA -keysize 2048 -keystore jboss.jks
接著產生 CSR 檔案,交給你們規劃的 CA Server 簽署。
步驟 B:匯入簽署後的憑證
當 CA 簽回 .cer 檔後,將「根憑證」與「伺服器憑證」匯入:
Bash
# 1. 先匯入 Root CA (讓 JBoss 知道誰是老大)
keytool -import -alias root_ca -file internal_root.cer -keystore jboss.jks
# 2. 再匯入簽好的 Server 憑證
keytool -import -alias jboss_server -file signed_server.cer -keystore jboss.jks
步驟 C:修改 JBoss 配置 (standalone.xml)
在 elytron 子系統(EAP 7+)或 web 子系統中定義 key-manager,指向這個 jboss.jks。這樣 JBoss 對外提供的連線就會是受信任的 HTTPS。
2. 客戶端(Spring Boot):正確連接的方法
當 JBoss 已經掛好正確憑證後,你的 Java 程式碼就不需要再寫「繞過 SSL」的髒代碼了。
方案一:匯入 JVM 信任庫(最省事)
如果你不想在程式碼裡寫任何 SSL 配置,直接把公司的 Root CA 匯入 JBoss 運行的 JDK 中:
Bash
keytool -import -file internal_root.cer -alias my_company_ca -keystore $JAVA_HOME/lib/security/cacerts
優點:RestTemplate 或 OkHttp 只要用預設配置就能連上 HTTPS,因為它們會自動信任 JDK 裡的 CA。
缺點:每次升級 JDK 都要重新匯入。
方案二:在程式碼中指定 TrustStore(最安全)
這就是我們之前討論的「資安正確做法」。不修改全局 JDK,只針對這個 App 進行配置:
5ZyoIEpCb3NzIEVBUCAoV2lsZEZseSkg55Kw5aKD5Lit77yM6JmV55CGIEhUVFBTIOaGkeitieeahOOAjOato+eiuuWBmuazleOAjeaHieWIhueCuuWFqeWAi+WxpOasoe+8mioq5Ly65pyN5Zmo56uv77yISkJvc3Mg5pys6Lqr77yJKiroiIcg5a6i5oi256uv77yI5L2g55qEIFNwcmluZyBCb290IEFwcO+8ieOAggoKCgrml6LnhLbkvaDmraPmnJ3lkJHopo/lioPjgIznp4HmnIkgQ0HjgI3nmoTmlrnlkJHliY3pgLLvvIzku6XkuIvmmK/kvIHmpa3ntJrnkrDlooPkuK3mnIDmqJnmupbnmoTlr6bkvZzmtYHnqIvvvJoKCgoKMS4g5Ly65pyN5Zmo56uv77ya5ZyoIEpCb3NzIOS4iuWuieijneaGkeitiQoK6KaB6K6TIEpCb3NzIOacjeWLmeato+eiuui3keWcqCBIVFRQUyDkuIrvvIzkuI3og73lj6rpnaDnqIvlvI/norzvvIzlv4XpoIjlnKggSkJvc3Mg55qE56Gs6auU5bGk57Sa6YWN572uIEtleVN0b3Jl44CCCgoKCuatpempnyBB77ya55Si55Sf56eB6ZGw6IiH6K2J5pu46KuL5rGCIChDU1IpCgrlnKggSkJvc3Mg5Ly65pyN5Zmo5LiK5Z+36KGM77yM55Si55Sf5LiA5YCL5Luj6KGo6YCZ5Y+w5Ly65pyN5Zmo55qE6Lqr5Lu95qqU5qGI77yaCgoKCkJhc2gKCmtleXRvb2wgLWdlbmtleXBhaXIgLWFsaWFzIGpib3NzX3NlcnZlciAta2V5YWxnIFJTQSAta2V5c2l6ZSAyMDQ4IC1rZXlzdG9yZSBqYm9zcy5qa3MKCuaOpeiRl+eUoueUnyBDU1Ig5qqU5qGI77yM5Lqk57Wm5L2g5YCR6KaP5YqD55qEIENBIFNlcnZlciDnsL3nvbLjgIIKCgoK5q2l6amfIELvvJrljK/lhaXnsL3nvbLlvoznmoTmhpHorYkKCueVtiBDQSDnsL3lm54gLmNlciDmqpTlvozvvIzlsIfjgIzmoLnmhpHorYnjgI3oiIfjgIzkvLrmnI3lmajmhpHorYnjgI3ljK/lhaXvvJoKCgoKQmFzaAoKIyAxLiDlhYjljK/lhaUgUm9vdCBDQSAo6K6TIEpCb3NzIOefpemBk+iqsOaYr+iAgeWkpykKCmtleXRvb2wgLWltcG9ydCAtYWxpYXMgcm9vdF9jYSAtZmlsZSBpbnRlcm5hbF9yb290LmNlciAta2V5c3RvcmUgamJvc3MuamtzCgojIDIuIOWGjeWMr+WFpeewveWlveeahCBTZXJ2ZXIg5oaR6K2JCgprZXl0b29sIC1pbXBvcnQgLWFsaWFzIGpib3NzX3NlcnZlciAtZmlsZSBzaWduZWRfc2VydmVyLmNlciAta2V5c3RvcmUgamJvc3MuamtzCgrmraXpqZ8gQ++8muS/ruaUuSBKQm9zcyDphY3nva4gKHN0YW5kYWxvbmUueG1sKQoK5ZyoIGVseXRyb24g5a2Q57O757Wx77yIRUFQIDcr77yJ5oiWIHdlYiDlrZDns7vntbHkuK3lrprnvqkga2V5LW1hbmFnZXLvvIzmjIflkJHpgJnlgIsgamJvc3Muamtz44CC6YCZ5qijIEpCb3NzIOWwjeWkluaPkOS+m+eahOmAo+e3muWwseacg+aYr+WPl+S/oeS7u+eahCBIVFRQU+OAggoKCgoyLiDlrqLmiLbnq6/vvIhTcHJpbmcgQm9vdO+8ie+8muato+eiuumAo+aOpeeahOaWueazlQoK55W2IEpCb3NzIOW3sue2k+aOm+Wlveato+eiuuaGkeitieW+jO+8jOS9oOeahCBKYXZhIOeoi+W8j+eivOWwseS4jemcgOimgeWGjeWvq+OAjOe5numBjiBTU0zjgI3nmoTpq5Lku6PnorzkuobjgIIKCgoK5pa55qGI5LiA77ya5Yyv5YWlIEpWTSDkv6Hku7vluqvvvIjmnIDnnIHkuovvvIkKCuWmguaenOS9oOS4jeaDs+WcqOeoi+W8j+eivOijoeWvq+S7u+S9lSBTU0wg6YWN572u77yM55u05o6l5oqK5YWs5Y+455qEIFJvb3QgQ0Eg5Yyv5YWlIEpCb3NzIOmBi+ihjOeahCBKREsg5Lit77yaCgoKCkJhc2gKCmtleXRvb2wgLWltcG9ydCAtZmlsZSBpbnRlcm5hbF9yb290LmNlciAtYWxpYXMgbXlfY29tcGFueV9jYSAta2V5c3RvcmUgJEpBVkFfSE9NRS9saWIvc2VjdXJpdHkvY2FjZXJ0cwoK5YSq6bue77yaUmVzdFRlbXBsYXRlIOaIliBPa0h0dHAg5Y+q6KaB55So6aCQ6Kit6YWN572u5bCx6IO96YCj5LiKIEhUVFBT77yM5Zug54K65a6D5YCR5pyD6Ieq5YuV5L+h5Lu7IEpESyDoo6HnmoQgQ0HjgIIKCgoK57y66bue77ya5q+P5qyh5Y2H57SaIEpESyDpg73opoHph43mlrDljK/lhaXjgIIKCgoK5pa55qGI5LqM77ya5Zyo56iL5byP56K85Lit5oyH5a6aIFRydXN0U3RvcmXvvIjmnIDlronlhajvvIkKCumAmeWwseaYr+aIkeWAkeS5i+WJjeiojuirlueahOOAjOizh+Wuieato+eiuuWBmuazleOAjeOAguS4jeS/ruaUueWFqOWxgCBKREvvvIzlj6rph53lsI3pgJnlgIsgQXBwIOmAsuihjOmFjee9ru+8mgo=