Let me start by saying that SHA-256 is not an encryption algorithm, it is a hash so you can't:
I guess I could use SHA-2 to encrypt the password on both ends, but is there any point since the channel is secure?
Sha-256 is a hash algorithm that on its own does not provide any security as hashes are deterministic in nature, in other words, if you know the plain text you'll know the hash and you can map known hashes to known plain texts (rainbow tables). There is no sense to talk about security if you don't present a threat model. The question as such is too general to be answered. As suggested in the comments, you may use certificate pinning to distribute your self-signed certificate in an out-of-band fashion, but that does not provide much flexibility and limited security.
What you need to understand is that a self-signed certificate on its own (without pinning) provides no security besides the cryptographic aspect of it, there is no authentication. You should avoid use of them in commercial applications. Certificate issued from a trusted CA (be it private or public) is a better option and pinning them provides much more security and flexibility to your application. If you pin the self-signed cert, there is no revocation available, no CRL or OCSP. In order to invalidate your certificate you'll need to change it on the server and push it to the application this can lead to long outages.