tls – Separate SSL certs on CloudFront and Heroku?

I find SSL real confusing, but anyways.

For my frontend static website, I host on S3 and distribute using CF. I just use something simple like comodo SSL to generate an SSL cert and then go through the AWS ACM process to import the cert. All good.

But I realized all my API requests of course go to a Node.js server running somewhere else in the world on Heroku (ok, probably they host on AWS somewhere :P). So with my domain name being www.domain.com and SSL certified, pointing to d12345.cloudfront.net, and API requests hitting myapp.heroku.com, do I get a separate SSL on Heroku? Heroku has a tempting auto SSL feature for paid dynos, but I don’t get if I need it or if I use my existing one for www.domain.com.