Thank you for reaching out.
I understand you have Azure Web App service with default domain which you want to add as a backend to the Application Gateway,
In this case there is no requirement to upload a .pfx certificate file to Application Gateway listener. As documented here Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings don't require any additional step for end to end TLS to work. If you're using Azure App Service or other Azure web services as your backend, then these are implicitly trusted as well and no further steps are required for end to end TLS.
- In the Trusted root certificate setting, you can set to use well known CA trusted root certificate.
- Under "Host name override", select "Pick host name from backend target". This setting will cause the request towards App Service to use the "azurewebsites.net" host name, as is configured in the Backend Pool.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.