How to Secure SharePoint 2016 Central Administration Site from HTTP to HTTPS using an SSL Certificate?

The Central Administration site is a web application where administration activities are performed for the farm. By default, Central Administration runs on non-secure HTTP. Enabling encryption ensures that the communications between users and the central admin website remain secure.

Prerequisite: Of course, You need the SSL certificate! You can use a free domain certificate from an internal CA, but you’ll need a SSL certificate from public certificate authorities for public facing sites.

Overall Steps to Change Central Administration from HTTP to HTTPS:

The steps to secure Central Administration are as follows:

Set SharePoint Central Administration site to use SSL Port 443
Assign SSL certificate binding to the Central Admin Web application through IIS.
Verify the Alternate Access Mappings to accommodate the port change

Why should we Enable SSL for the Central Administration site?

To protect sensitive information, such as credentials, it’s essential to enable SSL on the SharePoint Central Administration site. While it’s a general best practice to safeguard external-facing web applications, it’s also mandatory to encrypt internal communications between the Central Admin site. Otherwise, you will see the following message:

Warning: this page is not encrypted for secure communication. User names, passwords, and any other information will be sent in clear text. For more information, contact your administrator.

Also, If you don’t encrypt the SharePoint Central Admin site, you risk passing credentials in the clear text.

Step 1: Set SharePoint Central Administration site to use SSL Port 443

Log on to your SharePoint server hosting the SharePoint Central Administration site. By default, the first server you install SharePoint configures Central Administration automatically.

Open the SharePoint 2016 Management Shell (run as Administrator if UAC is not disabled)
Enter the following cmdlets and run

Set-SPCentralAdministration -SecureSocketsLayer -Port 443

sharepoint central admin ssl

This will reconfigure the SharePoint Central Administration site to use that port with an SSL binding.

Step 2: Assign SSL certificate binding to the Central Admin Web application

Import your SSL certificate to IIS: After getting the certificate from either your internal CA or public CA authority, import the certificate through >> IIS >> Server Certifications >> Import.

Bind the SSL Certificate with the Central Admin Site:
As a next step, You’ll assign the SSL certificate to the SharePoint Central Administration site. Please note, if you do run Central Admin on more than one server, you’ll need to assign the SSL certificate to the web site on each machine.

Open IIS Manager (Start >> Run >> Type “InetMgr”)
Navigate to SharePoint Central Administration v4 >> Click on “Bindings…” from the right-hand panel.
On the Bindings dialog, click on Edit…
In the Edit Site Binding dialog, select HTTPS from the Type dropdown, and leave the IP address as All Unassigned, and the Port should say 443. Enter the Hostname as ca.crescent.com, and select the certificate you imported earlier. Click OK.

Visit the site, and ensure that it renders on port 443.

Step 3: Verify the Alternate Access Mappings

When you set the SharePoint central admin to use SSL, SharePoint 2016 automatically modifies the default AAM to point to the new HTTPS URL. E.g., from https://ca.crescent.com to https://ca.crescent.com. You can verify it once:

sharepoint 2016 central admin ssl

Go to: SharePoint 2016 Central Administration >> Click On Application Management
Click on “Configure alternate access mappings”
Click on “Edit Public URLs” >> Pick the SharePoint Central Administration web application >> The default URL should be: https://ca.crescent.com

In case Central Admin is inaccessible, You can add a new URL to the AAM binding. Run this PowerShell cmd:

New-SPAlternateUrl -WebApplication https://ca-old-url:port -Url https://your-ca-new-url:port -Zone Default