tls – Not self-signed certificate and not AWS private certificate authority, any guess?

Hi I need to secure the communications between my frontend and backend, to put you in context my front resides in a PHP server owned by DonDominio (hosting web) and my backend in an instance in AWS.

My public web domain is .app so I’m forced to use a certificate to secure the communications. That step is done provided by a SSL certificate provided by the own hosting.

My problem begins with the communication to the backend. I managed to enable SSL configuration, and smart of me, I used the same certification (the previous provided by my hosting). Oh but it seems that the certificate its referred to the common name of the frontend public hosted website mentioned before, lets called it www.subjectweb.app. So no, that doesn’t make it.
Amazon provides its own Certificates Manager but I’m not sure if it is the solution that fits me the most. They offer a private certificate authority (way expensive) and a public one that it is like the certificate needed for hosted webs in AWS, not my case because I already have a hosting. I use AWS instances as my logic processing units therefore that instances addresses are public and exposed.
I tried to self-sign a certificate and install it in the backend but obviously every browser complains about it, not a solution.
So what I need to do to secure my backend communications out to internet, can I just simply create a CSR in the instance and use a CA to sign it, installed in my spring boot instance and thats all?

I’m asking this because prices goes from 400$ each month in AWS private’s solution and from 5$ or so a simple certificate with the CSR (Like I did for my public page www.subjectweb.app).
Apologies if I wasn’t clear, I’ll track the answers so I can explain better if thats the case.
Thanks!