The connection is secure even before entering the user auth because it is an HTTPs connection. However, the cert on the SA is a self-signed cert and the browser does not know which Root CA provided the cert. To get the additional level of security and not have that issue, you need to get a device cert. Go to the Certificates section on the SA, generate a CSR (certificate signing request) and use one of the public root CA to purchase a SSL cert. Once you received the signed cert, you will have to import it to the SA and associate the new cert with whichever port (internal/external) is accepting inbound connection.

For additional details on certs, check the admin guide.

Hope that helps.

Agreed it is best if the SA is external to get a cert signed from one of the root CAs that way it is trusted and does not throw any warnings on end user systems. (being how picky browsers are getting now and days, thou this is for a good reason). Also remember you should import the Intermediate Device CA from whatever root CA you pick. There is a link to do this off the Device Certificate page on the CA

Alternately, if your user-base is SMALL and internal (or at least all members of the domain), you can sign the certificate with with your AD Certificate authority and push the CA cert to your users' machines via group policy.

I have a 10 user system, and for non-customer facing servers, this is what we do. For customer facing systems, we bite the bulled and pay for a 'real' certificate.