Connect to AWS IoT/MQTT using Azure NetXDuo

Does anyone have experience with connecting to AWS IoT using Azure RTOS NetXDuo? I have successfully connected to Azure IoT and Mosquitto public broker. The problem I think is I'm using certificates in the wrong way

This is an example of when I'm successfully connected to mosquitto: it uses only root_ca certificate without username/password.

#define HOST_NAME "test.mosquitto.org"
#define SERVER_NAME "test.mosquitto.org"
#define DEVICE_ID "nxpevkboard"
#define SERVER_PORT 8883
#define PUBLISH_TOPIC   "devices/%s/test/me"
#define SUBSCRIBE_TOPIC "devices/%s/notice/me"

    for (i = 0; i < sizeof(threadx_tls_remote_certificate) / sizeof(NX_SECURE_X509_CERT); i++)
    {
        /* Need to allocate space for the certificate coming in from the remote host. */
        nx_secure_tls_remote_certificate_allocate(tls_session, &threadx_tls_remote_certificate[i],
                                                  threadx_tls_remote_cert_buffer[i],
                                                  sizeof(threadx_tls_remote_cert_buffer[i]));
    }

    /* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
    status = nx_secure_x509_certificate_initialize(trusted_certificate, mosqitto_root_ca,
                                          sizeof(mosqitto_root_ca), NX_NULL, 0, NX_NULL, 0,
										  NX_SECURE_X509_KEY_TYPE_NONE);
    status = nx_secure_tls_trusted_certificate_add(tls_session, trusted_certificate);

AWS provides one more certificate and private key. I tried to include both certificates with provided private_key. API returned success status but later client can't connect to the host, so maybe I have a mistake in host or servername.

#define HOST_NAME  "xxxx.iot.us-west-2.amazonaws.com"
#define SERVER_NAME "xxxx.iot.us-west-2.amazonaws.com"
#define DEVICE_ID "nxpevkboard"
#define SERVER_PORT 8883
#define PUBLISH_TOPIC   "devices/%s/test/me"
#define SUBSCRIBE_TOPIC "devices/%s/notice/me"

    for (i = 0; i < sizeof(threadx_tls_remote_certificate) / sizeof(NX_SECURE_X509_CERT); i++)
    {
        /* Need to allocate space for the certificate coming in from the remote host. */
        nx_secure_tls_remote_certificate_allocate(tls_session, &threadx_tls_remote_certificate[i],
                                                  threadx_tls_remote_cert_buffer[i],
                                                  sizeof(threadx_tls_remote_cert_buffer[i]));
    }

    /* This should be local cert i think. */
    status = nx_secure_x509_certificate_initialize(certificate, amazon_cert,
                                          sizeof(amazon_cert), NX_NULL, 0, private_key, sizeof(private_key),
										  NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER);
    status = nx_secure_tls_local_certificate_add(tls_session, certificate);

    /* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
    status = nx_secure_x509_certificate_initialize(trusted_certificate, amazon_root_ca_cert,
                                          sizeof(amazon_root_ca_cert), NX_NULL, 0, private_key, sizeof(private_key),
										  NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER);
    status = nx_secure_tls_trusted_certificate_add(tls_session, trusted_certificate);