https-example | example https client and server using OpenSSL | TLS library

I purchased the domain name 'jimtough.org' directly from Amazon so I could use it with a Cloudfront distribution. Now I have a very simple vanity site at https://jimtough.org/ that uses the certificate. I also played around with AWS API Gateway and confirmed that I can use the same certificate to provide HTTPS secured URLs to work with API Gateway.

I am also running a Java/Spring Boot web application on an EC2 server. I have already associated a Route53 DNS name with the EC2 server that hosts my Spring Boot application, like this: http://instance-b.jimtough.org/. This works, but it is using unsecured HTTP. I get a bunch of warnings when I try to do basic authentication in the application, since it would be sending my username/password via an insecure connection. Fair enough.

So my next step is to enable HTTPS in Spring Security and force secure connections to the application. In order to do this, I first need to provide a certificate for the Java runtime on the EC2 host to use. I found examples of how to do so with a self-signed certificate:

• https://mkyong.com/spring-boot/spring-boot-ssl-https-examples/
• https://www.baeldung.com/spring-boot-https-self-signed-certificate

Unfortunately, using a self-signed certificate is not what I'm looking for. I want the user to be able to browse my static content vanity site first (https://jimtough.org/), and then follow a link to my web app and keep using the same site certificate (my AWS-issued cert) for my Spring web app.

QUESTION: How can I use my AWS-issued certificate with my Java-based web application?

Inside the AWS Certificate Manager (https://console.aws.amazon.com/acm/home?region=us-east-1#/), I don't see any way to 'export' or save my certificate. Am I missing something? Maybe Amazon doesn't want me to use this certificate outside of their own services?

Note that I did originally set up the certificate with the domain name as 'jimtough.org' and the Additional Names field set to '*.jimtough.org' so I can use the certificate on sub-domains as I'm trying to do here.

EDIT

The accepted answer from julien-b is correct. I did some more research and found that SSL certificates aren't cheap, and come in different flavors. The cheapest is the 'DV' (Domain Validation) type, which only verifies that the SSL certificate is controlled by someone who also controls the DNS record for the associated domain (such as 'mydomain.com'). There are much more thorough (and expensive) certificate types that can be issued, where the issuer has to do background checks on the owning organization. Those are meant for sites that handle e-commerce, financial transactions, etc. Not at all what I need.

There are also multiple types of multi-site certificates to choose from. The very cheapest single-domain certificates only cover your primary domain and the 'www' subdomain (mysite.com and www.mysite.com). If you want all the subdomains of your primary domain covered (app.mysite.com, ftp.mysite.com, etc), then you'll need a 'wildcard' certificate. Those are significantly more expensive. The more exotic certificate types can cover multiple different domains. These seem to be aimed at making certificate management easier for organizations that manage a lot of different domains and don't need a different certificate for each. Not what I need, so I didn't investigate further.

I decided to go with a 'single-domain with subdomain wildcard' certificate from Comodo (recently renamed to Sectigo?), who appears to be the most affordable certificate vendor right now.

REFERENCE: https://www.techradar.com/news/best-ssl-certificate-provider

It seems like a missed opportunity for Amazon that they don't get in on this game and issue their own SSL certificates for a fee. AWS already has all the infrastructure in place to do so, at least for the DV-level certificates.