@ian.c
Yes, please use cert.pem, private.key for CELINT_KEY_CRT_PEM, CELINT_KEY_PEM.
next is you would be better check the AWS IoT core certificate policy ARN rule.
I want to test on Google IoT core but could not yet, because of Google IoT Core is now Private Beta version I could not join beta user.