I'm building a service using MTLS for authentication with AWS ACM PCA as private Certificate Authority. The certificate is stored in a password protected PKCS#12 file together with the private key in. The private key is also used for signing data.
At the moment I'm creating key pairs programatically but want to switch into using KMS. However, it seem like it's not possible to get the private key from KMS.
How am I supposed to allow for both client authentication and signing if I can't add the private key to the PKCS#12 key store?
You can use kms.generateDataKeyPair to create and export a public key and private key which can then be used locally.