Merge pull request #90820 from v-rihow/end-to-end-ssl-portal3

ShawnJackson · web-flow · commit 57c9f7167d3a · 2019-10-09T15:13:31.000-05:00
edit pass: end-to-end-ssl-portal
diff --git a/articles/application-gateway/end-to-end-ssl-portal.md b/articles/application-gateway/end-to-end-ssl-portal.md
@@ -1,6 +1,6 @@
 ---
 title: Quickstart - Configure end-to-end SSL encryption with Azure Application Gateway - Azure portal | Microsoft Docs
-description: Learn how to use the Azure portal to create an Azure Application Gateway with end-to-end SSL encryption.
+description: Learn how to use the Azure portal to create an application gateway with end-to-end SSL encryption.
 services: application-gateway
 author: vhorne
 ms.service: application-gateway
@@ -11,7 +11,7 @@ ms.custom: mvc
 ---
 # Configure end-to-end SSL by using Application Gateway with the portal
 
-This article shows you how to use the Azure portal to configure end-to-end SSL encryption with an application gateway v1 SKU.  
+This article describes how to use the Azure portal to configure end-to-end Secure Sockets Layer (SSL) encryption through Azure Application Gateway v1 SKU.
 
 > [!NOTE]
 > Application Gateway v2 SKU requires trusted root certificates for enabling end-to-end configuration.
@@ -20,94 +20,97 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 ## Before you begin
 
-To configure end-to-end SSL with an Application Gateway, a certificate is required for the gateway and certificates are required for the back-end servers. The gateway certificate is used to derive a symmetric key as per SSL protocol specification. The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. For end-to-end SSL encryption, the right back-end servers must be allowed in the application gateway. To do this, upload the public certificate of the back-end servers, also known as Authentication Certificates (v1) or Trusted Root Certificates (v2), to the Application Gateway. Adding the certificate ensures that the Application Gateway only communicates with known back-end instances. This further secures the end-to-end communication.
+To configure end-to-end SSL with an application gateway, you need a certificate for the gateway. Certificates are also required for the back-end servers. The gateway certificate is used to derive a symmetric key in compliance with the SSL protocol specification. The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. 
+
+For end-to-end SSL encryption, the right back-end servers must be allowed in the application gateway. To allow this access, upload the public certificate of the back-end servers, also known as Authentication Certificates (v1) or Trusted Root Certificates (v2), to the application gateway. Adding the certificate ensures that the application gateway communicates only with known back-end instances. This configuration further secures end-to-end communication.
 
 To learn more, see [SSL termination and end-to-end SSL](https://docs.microsoft.com/azure/application-gateway/ssl-overview).
 
 ## Create a new application gateway with end-to-end SSL
 
-To create a new application gateway with end-to-end SSL encryption, you'll need to first enable SSL termination while creating a new application gateway. This will enable SSL encryption for the communication between the client and application gateway. Then, you'll need to whitelist certificates for backend servers in the HTTP settings to enable SSL encryption for the communication between the application gateway and backend servers, accomplishing end-to-end SSL encryption.
+To create a new application gateway with end-to-end SSL encryption, you'll need to first enable SSL termination while creating a new application gateway. This action enables SSL encryption for communication between the client and application gateway. Then, you'll need to put on the Safe Recipients list the certificates for the back-end servers in the HTTP settings. This configuration enables SSL encryption for communication between the application gateway and the back-end servers. That accomplishes end-to-end SSL encryption.
 
 ### Enable SSL termination while creating a new application gateway
 
-Refer to this article to understand how to [enable SSL termination while creating a new application gateway](https://docs.microsoft.com/azure/application-gateway/create-ssl-portal).
+To learn more, see [enable SSL termination while creating a new application gateway](https://docs.microsoft.com/azure/application-gateway/create-ssl-portal).
 
-### Add authentication/root certificate of back-end servers
+### Add authentication/root certificates of back-end servers
 
 1. Select **All resources**, and then select **myAppGateway**.
 
-2. Select **HTTP settings** from the left menu. Azure automatically created a default HTTP setting, **appGatewayBackendHttpSettings**, when you created the application gateway. 
+2. Select **HTTP settings** from the left-side menu. Azure automatically created a default HTTP setting, **appGatewayBackendHttpSettings**, when you created the application gateway. 
 
 3. Select **appGatewayBackendHttpSettings**.
 
-4. Under **Protocol**, select **HTTPS**. A pane for **Backend authentication certificates or Trusted root certificates** will appear. 
+4. Under **Protocol**, select **HTTPS**. A pane for **Backend authentication certificates or Trusted root certificates** appears.
 
-5. Choose **Create new**.
+5. Select **Create new**.
 
-6. Enter a suitable **Name**.
+6. In the **Name** field, enter a suitable name.
 
-7. Select the certificate file using the **Upload CER certificate** box.
+7. Select the certificate file in the **Upload CER certificate** box.
 
-   For Standard and WAF (v1) Application Gateways, you should upload the public key of your backend server certificate in .cer format.
+   For Standard and WAF (v1) application gateways, you should upload the public key of your back-end server certificate in .cer format.
 
-   ![addcert](./media/end-to-end-ssl-portal/addcert.png)
+   ![Add certificate](./media/end-to-end-ssl-portal/addcert.png)
 
-   For Standard_v2 and WAF_v2 Application Gateways, you should upload the **root certificate** of the backend server certificate in .cer format. If the backend certificate is issued by a well-known CA, you can check the "Use Well Known CA certificate" box and there is no need to upload a certificate.
+   For Standard_v2 and WAF_v2 application gateways, you should upload the root certificate of the back-end server certificate in .cer format. If the back-end certificate is issued by a well-known certificate authority (CA), you can select the **Use Well Known CA Certificate** check box, and then you don't have to upload a certificate.
 
-   ![addtrustedrootcert](./media/end-to-end-ssl-portal/trustedrootcert-portal.png)
+   ![Add trusted root certificate](./media/end-to-end-ssl-portal/trustedrootcert-portal.png)
 
-   ![rootcert](./media/end-to-end-ssl-portal/trustedrootcert.png)
+   ![Root certificate](./media/end-to-end-ssl-portal/trustedrootcert.png)
 
 8. Select **Save**.
 
-## Enable end-to-end SSL for existing application gateway
+## Enable end-to-end SSL for an existing application gateway
 
-To configure an existing application gateway with end-to-end SSL encryption, you'll need to first enable SSL termination in the listener. This will enable SSL encryption for the communication between the client and application gateway. Then, you'll need to whitelist certificates for backend servers in the HTTP settings to enable SSL encryption for the communication between the application gateway and backend servers, accomplishing end-to-end SSL encryption.
+To configure an existing application gateway with end-to-end SSL encryption, you must first enable SSL termination in the listener. This action enables SSL encryption for communication between the client and the application gateway. Then, put those certificates for back-end servers in the HTTP settings on the Safe Recipients list. This configuration enables SSL encryption for communication between the application gateway and the back-end servers. That accomplishes end-to-end SSL encryption.
 
-You'll need to use a listener with HTTPS protocol and certificate for enabling SSL termination. So, you can either choose to use an existing listener with HTTPS protocol and certificate, or create a new listener. In case you choose the former, you can ignore the below mentioned steps to **Enable SSL termination in existing application gateway** and directly move to **Add authentication/trusted root certificates for back-end servers** section. If you choose the latter, use these steps.
+You'll need to use a listener with the HTTPS protocol and a certificate for enabling SSL termination. You can either use an existing listener that meets those conditions or create a new listener. If you choose the former option, you can ignore the following "Enable SSL termination in an existing application gateway" section and move directly to the "Add authentication/trusted root certificates for backend servers" section.
 
-### Enable SSL termination in existing application gateway
+If you choose the latter option, apply the steps in the following procedure.
+### Enable SSL termination in an existing application gateway
 
 1. Select **All resources**, and then select **myAppGateway**.
 
-2. Select **Listeners** from the left menu.
+2. Select **Listeners** from the left-side menu.
 
-3. Choose between **Basic** and **Multi-site** listener as per your requirement.
+3. Select either **Basic** or **Multi-site** listener depending on your requirements.
 
-4. Under **Protocol**, select **HTTPS**. A pane for **Certificate** will appear.
+4. Under **Protocol**, select **HTTPS**. A pane for **Certificate** appears.
 
-5. Upload the PFX certificate that you intend to use for SSL termination between the client and application gateway.
+5. Upload the PFX certificate you intend to use for SSL termination between the client and the application gateway.
 
    > [!NOTE]
-   > For testing purposes, you can use a self-signed certificate. but not advised for production workloads as they are harder to manage and not completely secure. Learn how to [create a self-signed certificate](https://docs.microsoft.com/azure/application-gateway/create-ssl-portal#create-a-self-signed-certificate).
+   > For testing purposes, you can use a self-signed certificate. However, this is not advised for production workloads, because they're harder to manage and aren't completely secure. For more info, see [create a self-signed certificate](https://docs.microsoft.com/azure/application-gateway/create-ssl-portal#create-a-self-signed-certificate).
 
-6. Add other required settings for the **Listener** as per your requirement.
+6. Add other required settings for the **Listener**, depending on your requirements.
 
 7. Select **OK** to save.
 
 ### Add authentication/trusted root certificates of back-end servers
 
 1. Select **All resources**, and then select **myAppGateway**.
 
-2. Select **HTTP settings** from the left menu. You can either whitelist certificates in an existing backend HTTP setting or create a new HTTP setting. In the below step, we will whitelist certificate for the default HTTP setting, **appGatewayBackendHttpSettings**.
+2. Select **HTTP settings** from the left-side menu. You can either put certificates in an existing back-end HTTP setting on the Safe Recipients list or create a new HTTP setting. (In the next step, the certificate for the default HTTP setting, **appGatewayBackendHttpSettings**, is added to the Safe Recipients list.)
 
 3. Select **appGatewayBackendHttpSettings**.
 
-4. Under **Protocol**, select **HTTPS**. A pane for **Backend authentication certificates or Trusted root certificates** will appear. 
+4. Under **Protocol**, select **HTTPS**. A pane for **Backend authentication certificates or Trusted root certificates** appears. 
 
-5. Choose **Create new**.
+5. Select **Create new**.
 
-6. Enter suitable **Name**.
+6. In the **Name** field, enter a suitable name.
 
-7. Select the certificate file using the **Upload CER certificate** box.
+7. Select the certificate file in the **Upload CER certificate** box.
 
-   For Standard and WAF (v1) Application Gateways, you should upload the public key of your backend server certificate in .cer format.
+   For Standard and WAF (v1) application gateways, you should upload the public key of your back-end server certificate in .cer format.
 
-   ![addcert](./media/end-to-end-ssl-portal/addcert.png)
+   ![Add certificate](./media/end-to-end-ssl-portal/addcert.png)
 
-   For Standard_v2 and WAF_v2 Application Gateways, you should upload the **root certificate** of the backend server certificate in .cer format. If the backend certificate is issued by a well-known CA, you can check the "Use Well Known CA certificate" box and there is no need to upload a certificate.
+   For Standard_v2 and WAF_v2 application gateways, you should upload the root certificate of the back-end server certificate in .cer format. If the back-end certificate is issued by a well-known CA, you can select the **Use Well Known CA Certificate** check box, and then you don't have to upload a certificate.
 
-   ![addtrustedrootcert](./media/end-to-end-ssl-portal/trustedrootcert-portal.png)
+   ![Add trusted root certificate](./media/end-to-end-ssl-portal/trustedrootcert-portal.png)
 
 8. Select **Save**.
 
