Whoa, Quinn responded to this! That is very helpful, thank you for taking the time to reply. The iOS demos for this needed AWS SDK demonstrated calling two functions. One to import the bundled p12 and another to connect to the IoT service. That connect strikes me as interesting given your advice around the SecIdentity. Their documentation on that is as follows. /** Initialises the MQTT session and connects to AWS IoT using certificate-based mutual authentication @return true if initialise finished with success @param clientId The Client Identifier identifies the Client to the Server. @param cleanSession specifies if the server should discard previous session information. @param certificateId contains the ID of the certificate to use in the connection; must be in the keychain @param callback When new mqtt session status is received callback will be called with new connection status. */ - (BOOL)connectWithClientId:(NSString *)clientId cleanSession:(BOOL)cleanSession certificateId:(NSString *)certificateId statusCallback:(void (^)(AWSIoTMQTTStatus status))callback; I'm speculating that "certificateId" parameter may be the kSecValueRef of the identity they imported... I am wondering if I might be able to turn our servers pem cert string into DER-encoded data and then create a SecIdentity in Keychain by combining it with the private key to use in Amazon's connect function. (https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates/getting_a_certificate) Can you see any pitfalls with this approach that I should be aware of? Is that even possible lol