diff --git a/moto/iot/models.py b/moto/iot/models.py
index 06f85f2fb..f6175ed69 100644
--- a/moto/iot/models.py
+++ b/moto/iot/models.py
@@ -3,6 +3,7 @@ import re
 import time
 from collections import OrderedDict
 from cryptography import x509
+from cryptography.hazmat._oid import NameOID
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import serialization, hashes
@@ -598,13 +599,13 @@ class IoTBackend(BaseBackend):
             pem, ca_certificate_pem=None, set_as_active=set_as_active, status="INACTIVE"
         )
 
-    def _generate_certificate_pem(self, domain_name, subject):
+    def _generate_certificate_pem(self, domain_name, subject, key=None):
         sans = set()
 
         sans.add(domain_name)
         sans = [x509.DNSName(item) for item in sans]
 
-        key = rsa.generate_private_key(
+        key = key or rsa.generate_private_key(
             public_exponent=65537, key_size=2048, backend=default_backend()
         )
         issuer = x509.Name(
@@ -822,11 +823,28 @@ class IoTBackend(BaseBackend):
     def create_keys_and_certificate(self, set_as_active):
         # implement here
         # caCertificate can be blank
+        private_key = rsa.generate_private_key(
+            public_exponent=65537, key_size=2048, backend=default_backend()
+        )
         key_pair = {
-            "PublicKey": random.get_random_string(),
-            "PrivateKey": random.get_random_string(),
+            "PublicKey": private_key.public_key()
+            .public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo,
+            )
+            .decode("utf-8"),
+            "PrivateKey": private_key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.TraditionalOpenSSL,
+                encryption_algorithm=serialization.NoEncryption(),
+            ).decode("utf-8"),
         }
-        certificate_pem = random.get_random_string()
+        subject = x509.Name(
+            [x509.NameAttribute(NameOID.COMMON_NAME, "AWS IoT Certificate")]
+        )
+        certificate_pem = self._generate_certificate_pem(
+            "getmoto.org", subject, key=private_key
+        )
         status = "ACTIVE" if set_as_active else "INACTIVE"
         certificate = FakeCertificate(
             certificate_pem, status, self.account_id, self.region_name
diff --git a/tests/test_iot/test_iot_certificates.py b/tests/test_iot/test_iot_certificates.py
index 31bd17cdd..729cddbe2 100644
--- a/tests/test_iot/test_iot_certificates.py
+++ b/tests/test_iot/test_iot_certificates.py
@@ -41,10 +41,16 @@ def test_create_key_and_certificate():
     cert = client.create_keys_and_certificate(setAsActive=True)
     cert.should.have.key("certificateArn").which.should_not.be.none
     cert.should.have.key("certificateId").which.should_not.be.none
-    cert.should.have.key("certificatePem").which.should_not.be.none
+    cert.should.have.key("certificatePem").which.should.match(
+        r"^-----BEGIN CERTIFICATE-----"
+    )
     cert.should.have.key("keyPair")
-    cert["keyPair"].should.have.key("PublicKey").which.should_not.be.none
-    cert["keyPair"].should.have.key("PrivateKey").which.should_not.be.none
+    cert["keyPair"].should.have.key("PublicKey").which.should.match(
+        r"^-----BEGIN PUBLIC KEY-----"
+    )
+    cert["keyPair"].should.have.key("PrivateKey").which.should.match(
+        r"^-----BEGIN RSA PRIVATE KEY-----"
+    )
 
 
 @mock_iot