diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go
index e6081b0ea26..f3f602424e9 100644
--- a/cmd/cloud-controller-manager/app/options/options.go
+++ b/cmd/cloud-controller-manager/app/options/options.go
@@ -102,10 +102,7 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
 
 	s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
 	s.SecureServing.ServerCert.PairName = "cloud-controller-manager"
-
-	// disable secure serving for now
-	// TODO: enable HTTPS by default
-	s.SecureServing.BindPort = 0
+	s.SecureServing.BindPort = ports.CloudControllerManagerPort
 
 	return &s, nil
 }
@@ -263,6 +260,10 @@ func (o *CloudControllerManagerOptions) Config() (*cloudcontrollerconfig.Config,
 		return nil, err
 	}
 
+	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
+		return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
+	}
+
 	c := &cloudcontrollerconfig.Config{}
 	if err := o.ApplyTo(c, CloudControllerManagerUserAgent); err != nil {
 		return nil, err
diff --git a/pkg/master/ports/ports.go b/pkg/master/ports/ports.go
index 9fee96fcbe4..19207a1012b 100644
--- a/pkg/master/ports/ports.go
+++ b/pkg/master/ports/ports.go
@@ -32,6 +32,7 @@ const (
 	InsecureKubeControllerManagerPort = 10252
 	// InsecureCloudControllerManagerPort is the default port for the cloud controller manager server.
 	// This value may be overridden by a flag at startup.
+	// Deprecated: use the secure CloudControllerManagerPort instead.
 	InsecureCloudControllerManagerPort = 10253
 	// KubeletReadOnlyPort exposes basic read-only services from the kubelet.
 	// May be overridden by a flag at startup.
@@ -45,4 +46,7 @@ const (
 	// KubeControllerManagerPort is the default port for the controller manager status server.
 	// May be overridden by a flag at startup.
 	KubeControllerManagerPort = 10257
+	// CloudControllerManagerPort is the default port for the cloud controller manager server.
+	// This value may be overridden by a flag at startup.
+	CloudControllerManagerPort = 10258
 )