Is a certificate required between apm agent and apm server?
As Silvia said, generally not required but recommended.
In your specific case, however: since the frontend application is serving requests over HTTPS, you will need to enable TLS in apm-server for the RUM agent to be able to send data successfully. This is a requirement specific to browser/frontend applications.
Does the apm agent on the frontend application need to use the same certificate as the frontend?
The APM agent doesn't need to use a certificate, the APM server does. They do not need to be the same, but they could be if they run on the same host (or if you use a reverse proxy). As long as the browser can verify the server certificate, then it will work.
If apmserver enables https, then my other backend applications do not use https. Does it affect them?
You will need to configure the agents for the backend applications to communicate with the APM Server using TLS. Whether the backend application uses HTTPS or not doesn't matter.
I use the certificate generated by "elasticsearch-certutil http", can apmserver use it to enable https?
Yes, but you will need to install the CA certificate in your browser then. I generally would not recommend this approach, but it depends on your application and userbase.
How did you generate the frontend certificate? Is the frontend accessible through the internet, or is this an intranet application?