I am aware of that specific "Microsoft recommendation". Still the way to implement is to extend CA into a different zone (say Intranet) and enable SSL for the extension and advise the administrator to use the SSL-enabled URL.
I would not recommend that you implement SSL in the default zone. That if you do not want to have much unpredictability operating this farm in the near-, medium- and long-term
I would not recommend that you implement SSL in the default zone. That if you do not want to have much unpredictability operating this farm in the near-, medium- and long-term