How to Secure SharePoint 2016 Central Administration Site from HTTP to HTTPS using SSL Certificate?

Central Administration site is a web application where administration activities are performed for the farm. By default, Central Administration runs on non-secure HTTP. Enabling encryption ensures that the communications between users and the central admin website remain secure.

Prerequisite: Of course, You need the SSL certificate! You can use a free domain certificate from an internal CA, but you'll need a SSL certificate from public certificate authorities for public facing sites.

Overall Steps to Change Central Administration from HTTP to HTTPS:
The steps to secure Central Administration are as follows:

1. Set SharePoint Central Administration site to use SSL Port 443
2. Assign SSL certificate binding to the Central Admin Web application through IIS. 
3. Verify the Alternate Access Mappings to accommodate the port change

Why We should Enable SSL for Central Administration site?
To protect sensitive information such as credentials, its essential to enable SSL on SharePoint Central Administration site. While, its a general best practice to protect external facing web applications, its also mandatory to encrypt communications between Central Admin site internally. Otherwise, you will see the following message:

Warning: this page is not encrypted for secure communication. User names, passwords, and any other information will be sent in clear text. For more information, contact your administrator.

Also, If you don't encrypt SharePoint Central Admin site, you risk passing credentials in clear text.

Step 1: Set SharePoint Central Administration site to use SSL Port 443
Logon to your SharePoint server hosting SharePoint Central Administration site. By default, the first server you install SharePoint configures Central Administration automatically.

• Open the SharePoint 2016 Management Shell (run as Administrator if UAC is not disabled)
• Enter following cmdlets and run
  

   Set-SPCentralAdministration -SecureSocketsLayer -Port 443 

  

This will reconfigure the SharePoint Central Administration site to use that port with an SSL binding.


Step 2: Assign SSL certificate binding to the Central Admin Web application
Import your SSL certificate to IIS: After getting the certificate from either from your internal CA or from public CA authority, Import the certificate through >> IIS >> Server Certifications >> Import

Bind the SSL Certificate with Central Admin Site:
As a next step, You'll assign the SSL certificate to the SharePoint Central Administration site.  Please note, if you do run Central Admin on more than one server, you'll need to assign the SSL certificate to the web site on each machine.

• Open IIS Manager (Start >> Run >> Type "InetMgr")
• Navigate to SharePoint Central Administration v4 >> Click on "Bindings…" from the right hand panel.
• On the Bindings dialog, click on Edit…
• In the Edit Site Binding dialog, select https from the Type dropdown, leave the IP address as All Unassigned, the Port should say 443. Enter the Host name as cadmin.crescent.com, Select your certificate you imported earlier. Click OK
  

Visit the site, and ensure that it renders on port 443.


Step 3: Verify the Alternate Access Mappings 
When you set the SharePoint central admin to use SSL, SharePoint 2016 automatically modifies the default AAM to point to the new HTTPS URL. E.g. from http://ca.crescent.com to the https://ca.crescent.com. You can verify it once:

• Go to: SharePoint 2016 Central Administration >>  Click On Application Management
• Click on "Configure alternate access mappings"
• Click on "Edit Public URLs"  >> Pick the SharePoint Central Administration web application >> The default URL should be: https://ca.crescent.com
  

In case, Central Admin is not accessible, You can add new URL to the AAM binding. Run this PowerShell cmd

New-SPAlternateUrl -WebApplication https://ca-old-url:port -Url https://your-ca-new-url:port -Zone Default