when using client certificates (mutual TLS) in python you need to create a SSL context:
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_cert_chain(certfile=certificate_file, keyfile=key_file)
Currently, python requires that the private key be provided in the form of a file, which may or may not be password protected. When developing for IOT devices, this is not ideal as the private key needs to be stored on the file system. Ideally, we would be able to make use of a HSM that keeps the private key securely stored within it and then have python/openssl delegate the private key verification to the HSM, which securely verifies a private key without ever exposing it.
Openssl supports this through the use of engines, which are often provided by the HSM manufacturer. For example, the zymkey for raspberry pi ( ZYMKEY 4i, Security Module for Raspberry Pi – zymbit) allows you to use the “zymkey_ssl” engine ( AWS IoT - TLS Client Certificate Authentication using Zymkey 4i - ZYMKEY4 / Other - Zymbit Community
As far as i’m aware, the python layer does not support this functionality.