If I want to setup HTTPS, I need to add the management fraction. I understand why: the keystore needs to be added to a security realm which can then be presented to the Undertow subsystem.
However, there's no way to say "I only want the security realm for Undertow, not the management endpoints". WildFly even reminds me:
This can possibly have undesirable security implications, especially given that the management endpoint is by default bound to all network interfaces: