PKI / TLS Certificate Engineer

Job Title: PKI / TLS Certificate Engineer
Location: REMOTE
Pay Rate: Open to Both C2C and W2 options 
Position Type: Multiyear Contract

Certificate Management Engineering (CME) is seeking a DevOps-focused contractor to support Operations and Automation workstreams across enterprise certificate lifecycle management. This role will help design, build, and run automation that reduces manual certificate work, improves reliability, and strengthens security outcomes-covering X.509 certificate inventory/renewal automation, notification and escalation workflows, and integrations with operational ticketing processes.
The contractor will also support modernization initiatives that expand CME capabilities into Kubernetes certificate automation and code/container signing, including integration patterns and tooling used to manage certificates and machine identities in cloud/Kubernetes environments.

Key Responsibilities:
Operations Enablement (Reliability)
•    Support day-to-day operational execution for certificate lifecycle work (issuance, renewal, replacement, decommission) with a strong focus on reducing manual handling and preventing certificate-expiration risk.
•    Enhance operational workflows that include scripted Outlook notification/escalation logic and operational integrations (e.g., ticket/task creation).
•    Partner with engineering and operations stakeholders to standardize repeatable procedures and ensure traceability of changes.
Automation Engineering (Build and Scale)
•    Develop and maintain automation that expands certificate coverage and reduces manual renewal effort, building on existing code-based automations and monitoring/notification patterns.
•    Implement or improve automation around certificate deployment patterns in modern platforms, including Kubernetes environments using components such as TLS for Kubernetes (TLSPK) and cert-manager.
•    Contribute to automation patterns for code/container signing processes and pipelines, helping establish consistent standards and repeatable workflows.
Platform & Tooling Support
•    Support and enhance automations and operational improvements for CyberArk (formerly Venafi) Certificate Manager within CMEs ecosystem.
•    Assist in enabling cloud/Kubernetes certificate management approaches that leverage machine identity management tooling referenced by the team (e.g., Workload Identity Manager / Venafi Firefly references in CME materials).

Must-Have Qualifications (Required)
•    Certificates / X.509 lifecycle management experience (request/issue/renew/replace/decommission, inventory/monitoring, risk reduction).
•    PKI fundamentals (CAs, chains, key usage, SANs, revocation, policy constraints; ability to troubleshoot certificate path and deployment issues).
•    PowerShell (advanced scripting for automation, error handling, logging, packaging, scheduling, and secure credential handling).
•    DevOps/automation mindset with production support experience (building reliable runbooks, monitoring/alerting hooks, and operational handoffs).
•    Ability to work cross-functionally with security, infrastructure, and platform teams to deliver automation that is operationally supportable.

Nice-to-Have Skills (Preferred)
•    Venafi Trust Protection Platform / CyberArk Certificate Manager - Self Hosted
•    CyberArk Certificate Manager - Kubernetes
•    CyberArk Code Sign Manager
•    Kubernetes cert-manager
•    SPIFFE / SPIRE
•    ServiceNow
•    Python
•    Ansible
•    Golang
•    Bash
•    vcert

Deliverables & Success Measures
•    Operational reduction of manual certificate tasks via automation improvements and measurable decreases in human touchpoints (especially renewal and deployment workflows).
•    Improved notification/escalation effectiveness and reduced surprise expirations via scripted communication and integrated tasking.
•    Working automation patterns for Kubernetes certificate management using components like cert-manager and related Kubernetes TLS enablement approaches referenced by CME.
•    Supportable automation artifacts: source-controlled scripts, documentation/runbooks, and operational readiness for change-management expectations.

Working Relationships
•    Works closely with CME engineering leadership and peer engineers supporting certificate automation, Kubernetes enablement, and signing initiatives.
•    Coordinates with platform and change stakeholders to ensure automation is production-ready and appropriately documented.

System One, and its subsidiaries including Joulé and Mountain Ltd., are leaders in delivering outsourced services and workforce solutions across North America. We help clients get work done more efficiently and economically, without compromising quality. System One not only serves as a valued partner for our clients, but we offer eligible employees health and welfare benefits coverage options including medical, dental, vision, spending accounts, life insurance, voluntary plans, as well as participation in a 401(k) plan.

System One is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, age, national origin, disability, family care or medical leave status, genetic information, veteran status, marital status, or any other characteristic protected by applicable federal, state, or local law.

Ref: #851-Rockville-S1