Identity Architect Certificate Lifecycle Automation- Remote

Role Summary
Seeking an Identity Engineer/Architect with deep expertise in machine identity, PKI, and certificate lifecycle automation to lead the discovery, design, and automation of enterprise certificate issuance for a Fortune 500 retail client. You will work directly with the client's Security, PKI, Infrastructure, and Application teams to assess the current-state certificate landscape across approximately 2,000 systems, design a target-state automation architecture leveraging Sectigo and existing internal CAs, and build the automation framework that will modernize certificate issuance, renewal, and revocation across a heterogeneous environment.
This is a hands-on architect role equal parts strategy, design, and engineering execution.

Key Responsibilities
Planning & Governance
Lead PKI and certificate automation kickoff with stakeholders across Security, PKI, Infrastructure, DevOps, and Application teams
Establish governance models, RACI, and change management workflows for certificate lifecycle operations
Define wave-based rollout strategy and success criteria
Discovery & Assessment
Conduct comprehensive certificate inventory across Sectigo, internal CAs, Microsoft CA, OpenSSL, and manual issuance sources
Identify and classify certificates by type (server TLS, client auth, mTLS, signing), key parameters, install location, and ownership
Surface orphaned certificates, manual renewal processes, and business-critical uptime constraints
Map system dependencies across Windows/IIS, Linux (Apache/Nginx), Kubernetes, F5/Citrix load balancers, AWS/Azure/Google Cloud Platform, Java (JKS/PKCS12), and network appliances
Design
Architect the target-state certificate lifecycle: request issuance installation validation renewal revocation
Define certificate standards (naming, SAN policies, validity, renewal thresholds) and Sectigo template strategy
Design platform-specific automation approaches: ACME, agent-based enrollment, API-driven issuance, and integrations with Ansible, SCCM, Puppet, and Chef
Define monitoring, alerting, audit logging, and SIEM integration for compliance (SOC2, ISO)
Design rollback, recovery, and key custody strategies (HSM, TPM, vault integration)
Engineering & Implementation
Develop automation modules for CSR/key generation, Sectigo API/ACME issuance, certificate retrieval and chain bundling, platform-specific installation, service reload, and post-install TLS validation
Implement centralized telemetry, failure handling, retry logic, and rollback procedures
Execute pilot waves (20 50 systems each), refine based on findings, and produce runbooks
Coordinate with system owners and change windows during deployment
Knowledge Transfer
Deliver operational runbooks, training, and onboarding guides for BAU certificate management
Conduct formal handoff to client operations teams

Required Qualifications
7+ years in identity, PKI, or security engineering, with 3+ years specifically focused on certificate lifecycle management at enterprise scale
Hands-on expertise with Sectigo Certificate Manager (CCM), including API integration, template configuration, and ACME enrollment
Deep knowledge of PKI fundamentals: X.509, certificate chains, CSR workflows, RSA/ECDSA, OCSP/CRL, HSM integration
Experience with Microsoft Active Directory Certificate Services (AD CS), internal/private CAs, and OpenSSL
Proven automation experience with Ansible, PowerShell, Python, and/or Bash for certificate operations
Experience deploying certificates across heterogeneous platforms: Windows certificate store, Linux PEM, Java keystores (JKS/PKCS12), Kubernetes secrets, F5/Citrix, IIS, Apache/Nginx
Familiarity with cloud certificate services (AWS ACM, Azure Key Vault, Google Cloud Platform Certificate Manager)
Experience integrating with configuration management (Ansible, SCCM, Puppet, Chef) and CI/CD pipelines
Strong understanding of compliance frameworks (SOC2, ISO 27001) as they apply to cryptographic controls

Preferred Qualifications
Experience with Venafi, Keyfactor, or AppViewX (transferable to Sectigo-centric design)
Kubernetes/cert-manager and service mesh (Istio, Linkerd) certificate workflows
HSM experience (Thales, Entrust nShield, AWS CloudHSM)
SIEM integration (Splunk, Sentinel, Elastic) for certificate event logging
Prior consulting or professional services delivery experience
Certifications: CISSP, GIAC GPCS, GSEC, or vendor PKI credentials

Soft Skills
Strong stakeholder communication comfortable presenting architecture decisions to security leadership and translating technical risk for business audiences
Disciplined delivery in a time- and budget-bound engagement (NTE 640 engineering hours)
Documentation rigor runbooks, design documents, and knowledge transfer materials must be operations-ready