[docs] security clarifications and grammar fixes (yugabyte#9031)

Unprivileged ports start at 1024.
Clarify what is uploaded to the platform and what is copied manually.

docs/content/latest/yugabyte-platform/security/customize-ports.md

@@ -20,7 +20,7 @@ For a list of YugabyteDB default ports, see [Default ports reference](../../../r
 
 ![Create universe - Override Deployment Ports](/images/yp/security/override-deployment-ports.png)
 
-3. Specify the port each process should use. This can be any value from `1` to `65535` (as long as the specified values don’t conflict with anything else running on nodes to be provisioned). In the case of **Node Exporter Port**, the value is used for both what Prometheus will use to scrape node-level metrics as well as what Node Exporter will be configured on nodes to use. If **Install Node Exporter** is not selected and the user is configuring Node Exporter on nodes out of band of Yugabyte Platform, this value should be the port that Node Exporter is already running on nodes with.
+3. Specify the port each process should use. This can be any value from `1024` to `65535` (as long as the specified values don’t conflict with anything else running on nodes to be provisioned). In the case of **Node Exporter Port**, the value is used for both what Prometheus will use to scrape node-level metrics as well as what Node Exporter will be configured on nodes to use. If **Install Node Exporter** is not selected and the user is configuring Node Exporter on nodes out of band of Yugabyte Platform, this value should be the port that Node Exporter is already running on nodes with.
 
 ![Override Deployment Ports](/images/yp/security/override-deployment-ports.png)
 

docs/content/latest/yugabyte-platform/security/enable-encryption-in-transit.md

@@ -80,7 +80,7 @@ You can enable TLS using your own certificates, as follows:
 
 ## Custom CA-Signed Self-Provided Certificates
 
-For universes created with an on-premise cloud provider, instead of using self-signed certificates, you can use third-party certificates from external CAs. The third-party CA root certificate must be configured in the platform and the node keys. You have to copy the certificates to the appropriate database nodes using the procedure described in [How to Use Custom CA-Signed Certificates to Enable TLS](#how-to-use-custom-ca-signed-certificates-to-enable-tls). 
+For universes created with an on-premise cloud provider, instead of using self-signed certificates, you can use third-party certificates from external CAs. The third-party CA root certificate must be configured in the platform. You have to copy the custom CA root certificate, node certificate, and node key to the appropriate database nodes using the procedure described in [How to Use Custom CA-Signed Certificates to Enable TLS](#how-to-use-custom-ca-signed-certificates-to-enable-tls). 
 
 The certificates must meet the following criteria: 
 
@@ -92,7 +92,7 @@ The following procedure describes how to install certificates on the database no
 
 **Step 1:** Obtain the keys and the custom CA-signed certificates for each of the on-premise nodes for which you are configuring node-to-node TLS. In addition, obtain the keys and the custom signed certificates for client access for configuring client-to-node TLS.
 
-**Step 2**: Copy the custom CA root certificate, node certificate, and node key to the respective on-premise nodes file system. 
+**Step 2**: For _each on-premise node_, copy the custom CA root certificate, node certificate, and node key to that node's file system. 
 
 If you are enabling client-to-node TLS, make sure to copy the client certificate and client key to each of the nodes.
 
@@ -263,4 +263,3 @@ You can set the TLS version for node-to-node and client-node communication. To e
 ```
 ssl_protocols = tls12
 ```
-