This is a watered down version of many posts out there on this, an old; but good, topic.
Here’s a really good article on the topic of how to set central admin on a high port, and it also lists out best practice considerations and explains them, e.g. run it up on a high port, then change it, http://www.harbar.net/articles/spca.aspx
High level steps:
Set your Central Administration web application and site to run on SSL, along with all of your other web applications and sites in SharePoint.
Create a Cname record that resolves to your load balancer.
Create a binding in IIS for your Central Admin site on port 443 with your new binding
Change your default AAM to match the new vanity url, now verify that the registry changed, too.
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS
Set-SPCentralAdministration -Port 443