PKI Engineer

Job Description:

Required Skills:

1. Ideal candidate should be well experienced in PKI, certificate lifecycle management (CLCM), infrastructure automation and credential management (CMS) systems. Should have experience with ACME protocols, scripting (e.g., PowerShell, Python), and enterprise CLM tools
2. Windows, Linux/Unix, Apache, Tomcat, Java Keystore, F5, Azure Key Vault.
3. This is a hardcore development/engineering role

Responsibilities:

Key Responsibilities:

Lead the infrastructure protection strategy to create, evolve, and secure the internal PKI and credential management security strategy.
Design, implement, and operate enterprise-grade PKI solutions, including internal and external Certificate Authorities (CAs), Hardware Security Modules (HSMs), and certificate lifecycle management platforms.
Create design components, develop code, and test changes using test-driven development methodologies.
Provide subject matter expertise in resolving complex problems related to the PKI environment.
Manage, secure, engineer and provide governance for key and certificate management services, including robust, enterprise-grade PKI, certificate lifecycle management (CLCM), infrastructure automation and credential management (CMS) systems.
Implement and maintain automated certificate renewal programs; capture use-cases for certificate revocation, enrollment & renewal processes.
Monitor creation of encryption keys to ensure protection against modification and unauthorized disclosure.
Define Trust Strategies and understand security and governance requirements for Certification Authorities.
Architect and manage internal PKI infrastructure, including CA, RA, CRL, OCSP, and HSM integrations.
Design and implement certificate lifecycle automation using ACME protocols, scripting (e.g., PowerShell, Python), and enterprise CLM tools.
Install and manage certificates across platforms: Windows, Linux/Unix, Apache, Tomcat, Java Keystore, F5, Azure Key Vault.
Implement digital certificate policies aligned with X.509 standards and CA/Browser Forum baseline requirements.
Develop and maintain Certificate Policy and Certificate Practice Statements (CP/CPS).
Provide PKI support for application integrations, including TLS/SSL, S/MIME, 802.1x, Smartcards, and Code Signing.
Collaborate with IAM, Infrastructure, Security, and Application teams to integrate PKI into broader identity solutions.
Contribute to change management and documentation using ITSM tools (ServiceNow, Remedy).
Maintain high availability and disaster recovery readiness for PKI infrastructure.
Track and report on PKI service metrics, SLAs, KPIs, and KRIs to ensure operational excellence.
Develop and maintain SOPs, technical documentation, and training materials.

Preferred Skills:

Strong technical knowledge of enterprise PKI operations, cryptographic algorithms (symmetric/asymmetric), digital signatures, with strong understanding of compliance, auditing, and key management.
Microsoft certifications (e.g., Azure Security Engineer, MCSA).
Knowledge of CA/B Forum, RFC 5280, RFC 6960 (OCSP).
Familiarity with containerized environments and Kubernetes certificate management.
Experience with Active Directory Certificate Services, GlobalSign, Sectigo, DigiCert, Keyfactor, OpenSSL, or other certificate management platforms. Understanding of OCSP, CA, RA, CRL, and BYOK configurations.
Comprehensive understanding of the PKI/HSM ecosystem, including technology, standards, implementations, and migration strategies.
Experience with developing scripts for administrative and automation tasks.
Collaborate with other IT and Operational teams to integrate PKI solutions with existing systems/applications.
Monitor and troubleshoot PKI-related issues.
Assist and educate users/administrators with certificate-enabled applications, such as SSL/TLS, S/MIME, Code Signing, Smartcard, 802.1x, EAP-TLS, etc.
Drive technical discussions to understand digital certificate services requirements.
Maintain and enhance global solutions for the digital certificate area, ensuring high availability and disaster recovery.
Knowledge of PKI Standards, including X.509, CP/CPS, and CA/Browser Forum Baseline Requirements.