You’ve already installed SharePoint. You want to use SSL to secure Central Admin because it is the Right Thing To Do and it makes those annoying warnings go away.
Note that you could not do this during installation because psconfig does not provide a command line option for creating Central Admin with SSL. See http://technet.microsoft.com/en-us/library/cc263093.aspx#section2.
You need a certificate, but you don’t need to buy an official one – after all, the only people using the Central Admin site are the Farm Admin(s), and they can set their web browsers to trust a self signed certificate. In fact, if they always remote desktop into the web front end that runs Central Admin, they only have to set the web browser there to trust the self signed certificate issuer.
IIS 7 can make a self signed certificate, but will use the server’s full name (FQDN) instead of just the hostname. The url for Central Admin generally just uses the hostname however. That’s where SelfSSL comes in handy. SelfSSL is an IIS 6 resource kit tool. You get it here: details.aspx-FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en.
You MUST run SelfSSL from an ELEVATED command prompt (in other words, RUN AS ADMIN!). Then you can use a command like this:
SelfSSL /T /N:CN=MOSSCA1 /V:3650 /S:697346987 /P:21121
It may as you “Do you want to replace the SSL settings for site 697346987? (Y/N).
If you are not running an elevated command prompt, even if you answer yes, nothing will happen though the program will exit without error.
When it works (and again, you must be running as admin), it will say “The self signed certificate was successfully assigned to site 697346987.”
This assumes your Central Admin server is named MOSSCA1, you want the cert to be good for 10 years (3650 days) , the IIS site ID of the CA site is 697346987 and Central Admin is on port 21121.
You can find the IIS Site ID by clicking on the Sites folder in the IIS 7 IIS Manager MMC.
Once you run SelfSSL, then you need to update the binding for the CA website, in IIS. Select the site, click Bindings in the task pane, and update the port number for HTTP to an unused port. Then add an HTTPS binding and pick the certificate you created.
Once you have the HTTPS binding defined, you can then go to the Features view of the Central Admin site and click on the SSL Settings (the lock icon) to specify that SSL is required, not optional, and that it should use 128 bit SSL.
Once you have that done, you can browse to Central Admin on the new port, and then you need to update the Alternate Access Mappings for the Central Admin web application to specify HTTPS instead of HTTP. For more details on this step, see step #5 of this blog post: http://blogs.msdn.com/bgeoffro/archive/2008/02/11/adding-kerberos-ssl-to-central-administration.aspx
I think that about covers it.
--Michael