AWS IoT - TLS Client Certificate Authentication using Zymkey 4i

See Zymbit’s Documentation Site for the most recent AWS documentation.

Are you using Zymkey private key to create Device certificate? what is nonzym.key file in the above steps?

#replace endpoint and region with the appropriate values
curl --tlsv1.2 --cacert CA_files/zk_ca.pem --cert zymkey.crt --key nonzymkey.key --engine zymkey_ssl --key-type ENG -v -X POST -d “{ “hello”: “world”}” “

what key should we send in the above statement? Since i dont have access to private key?

Zymkey is used to generate a certificate signing request to a CA. The CA will then generate a certificate using Zymkey’s public key.

In normal operation (e.g. via the curl command), zymkey is used for the client signature part of the TLS handshake which references the client the certificate.

The reason that there is an entry for the key in the curl command is because older versions of curl (and this may still be true today) needed to have a key file even though we are referencing a private key through an openssl hardware engine.

Try one of the following things:

  1. Create an empty key with touch nonzymkey.key, then run the curl command
  2. If that doesn’t work, try openssl ecparam -name prime256v1 -out nonzymkey.key, then run the curl command.
1 Like


I want to edit zymkey_ssl file to meet the requirements. Where can i find that file? Is that file publicly available?

Hi, did you ever write the future post showing how to communicate with AWS IoT through their rest API and authenticating with Zymkey’s private key in Python?

I am trying to learn how to create an SSL context in python that uses the private key on the Zymkey HSM rather than point to a file on the storage for a private key.