Sr. PKI Engineer

Description
Sr. PKI Engineer to design, implement, and operate enterprise-grade Public Key Infrastructure (PKI) services with a strong focus on Microsoft Active Directory Certificate Services (AD CS) and Active Directory (AD) integration. Handson implementation and integration knowledge of certificate lifecycle management, CA hierarchy governance, enrollment automation, HSM-backed key protection, CA backup restore, migration and integration with platforms such as Windows Server, Linux, network/security devices, cloud providers, MDM/EPP, and zero-trust tooling. Subject matter expert for cryptographic standards, certificate-based authentication, and PKI security controls across the organization.
Required experience:

1. ADCS (Active Directory Certificate Services)
2. PKI integration with Active Directory, Powershell Scripting (forests/domains, ADCS, AIA/CDP locations, GPOs)
3. Deploying, configuring, implementing, and installing PKI/ADCS components - design/migration of PKI

Minimum Qualifications
8+ years in Security Engineering/Identity Infrastructure, including 5+ years hands-on with Microsoft AD CS and enterprise Active Directory with managing CA infrastructure
Proven experience designing, deploying, and operating multi-tier Microsoft PKI (offline root, issuing CAs) in large/complex environments.
Deep knowledge of X.509, CRL/OCSP, EKU/KU, SANs, key algorithms and sizes (RSA/ECC), hashing (SHA-2), and certificate validation paths.
Experience with 802.1X/EAP-TLS, TLS/mTLS, VPN auth, and device/user certificate issuance at scale.
HSM experience (e.g., nCipher/Entrust/Thales) for CA key management.
Nice to Have Skills

• Automation
• Active Directory

Responsibilities:
Architecture & Design

• Design multi-tier PKI architectures (offline Root, Policy CA, Issuing CAs)
• Lead key ceremonies, CRL/OCSP design, secure issuance workflows
• Engineer certificates for TLS/mTLS, 802.1X, code signing, S/MIME, BitLocker, device identity
• Implement HSM-backed key storage
• Define crypto standards: RSA/ECC/PQC, hashing, and key sizes

Operations & Automation

• Own certificate lifecycle management (issuance, renewal, revocation)
• Implement automation via Intune, GPO, Auto-enrollment, SCEP/NDES, ACME, MDM
• Manage CRL/OCSP publication and HA/geo-distributed endpoints
• Automate with PowerShell/APIs for inventory, bulk issuance, drift detection
• Manage CA backup, restore, renewal, and migration

Security & Compliance

• Ensure alignment with FIPS 140-2/3, NIST, CAB Forum, Microsoft Security Baselines
• Perform PKI risk assessments, template reviews, EKU/KU controls
• Lead PKI-related incident response
• Maintain compliance with SOX, PCI, HIPAA, ISO 27001

Qualifications

• 8+ years in Security/Identity Infrastructure
• 5+ years hands-on with Microsoft ADCS and enterprise AD PKI
• Deep knowledge of X.509, CRL/OCSP, SANs, EKU/KU, RSA/ECC, hashing, validation paths
• Strong PowerShell and Windows Server experience
• Experience with 802.1X/EAP-TLS, TLS/mTLS, VPN certificate auth at scale
• HSM experience (Thales/nCipher/Entrust) required

Skills
ADCS, Active Directory Certification Services, PKI, Automation, Active directory
Top Skills Details
ADCS,Active Directory Certification Services,PKI
Job Type & Location
This is a Contract position based out of Charlotte, NC.
Pay and Benefits
The pay range for this position is $75.00 - $85.00/hr.
Eligibility requirements apply to some benefits and may depend on your job classification and length of employment. Benefits are subject to change and may be subject to specific elections, plan, or program terms. If eligible, the benefits available for this temporary role may include the following: Medical, dental & vision Critical Illness, Accident, and Hospital 401(k) Retirement Plan - Pre-tax and Roth post-tax contributions available Life Insurance (Voluntary Life & AD&D for the employee and dependents) Short and long-term disability Health Spending Account (HSA) Transportation benefits Employee Assistance Program Time Off/Leave (PTO, Vacation or Sick Leave)
Workplace Type
This is a fully onsite position in Charlotte,NC.
Application Deadline
This position is anticipated to close on Mar 16, 2026.
>About TEKsystems:
We're partners in transformation. We help clients activate ideas and solutions to take advantage of a new world of opportunity. We are a team of 80,000 strong, working with over 6,000 clients, including 80% of the Fortune 500, across North America, Europe and Asia. As an industry leader in Full-Stack Technology Services, Talent Services, and real-world application, we work with progressive leaders to drive change. That's the power of true partnership. TEKsystems is an Allegis Group company.

The company is an equal opportunity employer and will consider all applications without regards to race, sex, age, color, religion, national origin, veteran status, disability, sexual orientation, gender identity, genetic information or any characteristic protected by law.

About TEKsystems and TEKsystems Global Services

We're a leading provider of business and technology services. We accelerate business transformation for our customers. Our expertise in strategy, design, execution and operations unlocks business value through a range of solutions. We're a team of 80,000 strong, working with over 6,000 customers, including 80% of the Fortune 500 across North America, Europe and Asia, who partner with us for our scale, full-stack capabilities and speed. We're strategic thinkers, hands-on collaborators, helping customers capitalize on change and master the momentum of technology. We're building tomorrow by delivering business outcomes and making positive impacts in our global communities. TEKsystems and TEKsystems Global Services are Allegis Group companies. Learn more at TEKsystems.com.

The company is an equal opportunity employer and will consider all applications without regard to race, sex, age, color, religion, national origin, veteran status, disability, sexual orientation, gender identity, genetic information or any characteristic protected by law.