There are multiple .pem files used for Amazon AWS. You don't need to make a x509 certificate when you use the web gui in Amazon Management console to start an instance. When you create an instance using the web gui you need a keypair.pem file which is managed in AWS. The private key generated when you create a keypair is not stored on the Amazon system so you have to store it yourself.
The part which is confusing is the keypair.pem file is NOT used in the .bashrc profile environment variables for either the certxxx.pem or pkxxx.pem files used for the command line AWS API tools.
When you connect from the command line you need to create a x509 certificate and store both the private key associated with the certificate. There are 2 private keys, one for the keypair and one for the x509 certificate. You need these 2 files to use the command line tools. Very confusing. I used the keypair .pem private key file and downloaded the certificate from the AWS management console.