Do one-click cert creation, even though not needed. Download Root cert from: https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html#server-authentication
Specifically, either of RSA 2048 bit key: Amazon Root CA 1 https://www.amazontrust.com/repository/AmazonRootCA1.pem RSA 4096 bit key: Amazon Root CA 2 https://www.amazontrust.com/repository/AmazonRootCA2.pem