Job Description

Position: Public Key Infrastructure (PKI) Engineer
Location: Washington, DC (metro accessible) - Must work EST Hours (there is no requirement to be onsite)
Duration: Thru Fiscal Year End (April 2026) w/ a Possible 1-year Extension

• Run the Day-to-Day PKI Operations
• No Hands-on at this time (but has had most or all of the responsibilities listed below at one time or another) - be the "choreographer, not the dancer"
• "Run the Show" (but not a PM - they have that position filled already)
• Know how PKI works and how PKI 'should' work
• Will have been responsible for most of these skillsets at some point in the past (and can provide examples):
  • Lead the infrastructure protection strategy to create, evolve, and secure internal PKI and credential management security strategy.
  • Design, implement, and operate enterprise-grade PKI solutions, including internal and external Certificate Authorities (CAs), Hardware Security Modules (HSMs), and certificate lifecycle management platforms.
  • Create design components, develop code, and test changes using test-driven development methodologies.
  • Provide subject matter expertise in resolving complex problems related to PKI environment.
  • Manage, secure, engineer and provide governance for key and certificate management services, including robust, enterprise-grade PKI, certificate lifecycle management (CLCM), infrastructure automation and credential management (CMS) systems.
  • Implement and maintain automated certificate renewal programs; capture use-cases for certificate revocation, enrollment & renewal processes.
  • Monitor creation of encryption keys to ensure protection against modification and unauthorized disclosure.
  • Define Trust Strategies and understand security and governance requirements for Certification Authorities.
  • Architect and manage internal PKI infrastructure including CA, RA, CRL, OCSP, and HSM integrations.
  • Design and implement certificate lifecycle automation using ACME protocols, scripting (e.g., PowerShell, Python), and enterprise CLM tools.
  • Install and manage certificates across platforms: Windows, Linux/Unix, Apache, Tomcat, Java Keystore, F5, Azure Key Vault.
  • Implement digital certificate policies aligned with X.509 standards and CA/Browser Forum baseline requirements.
  • Develop and maintain Certificate Policy and Certificate Practice Statements (CP/CPS).
  • Provide PKI support for application integrations, including TLS/SSL, S/MIME, 802.1x, Smartcards, and Code Signing.
  • Collaborate with IAM, Infrastructure, Security, and Application teams to integrate PKI into broader identity solutions.
  • Contribute to change management and documentation using ITSM tools (ServiceNow, Remedy).
  • Maintain high availability and disaster recovery readiness for PKI infrastructure.
  • Track and report on PKI service metrics, SLAs, KPIs, and KRIs to ensure operational excellence.
  • Develop and maintain SOPs, technical documentation, and training materials.

Preferred Skills:

• Strong technical knowledge of:
  • Enterprise PKI Operations
  • Cryptographic Algorithms (symmetric/asymmetric)
  • Digital Signatures
• Strong understanding of:
  • Compliance
  • Auditing
  • Key Management
• Microsoft certifications (e.g., Azure Security Engineer, MCSA).
• Knowledge of CA/B Forum, RFC 5280, RFC 6960 (OCSP).
• Familiarity with containerized environments and Kubernetes certificate management.
• Experience with Active Directory Certificate Services, GlobalSign, Sectigo, DigiCert, Keyfactor, OpenSSL, or other certificate management platforms.
• Understanding of OCSP, CA, RA, CRL, and BYOK configurations.
• Comprehensive understanding of the PKI/HSM ecosystem, including technology, standards, implementations, and migration strategies.
• Experience with developing scripts for administrative and automation tasks.
• Collaborate with other IT and Operational teams to integrate PKI solutions with existing systems/applications.
• Monitor and troubleshoot PKI related issues.
• Assist and educate users/administrators with certificate enabled applications, such as SSL/TLS, S/MIME, Code Signing, Smartcard, 802.1x, EAP-TLS, etc.
• Drive technical discussions to understand digital certificate services requirements.
• Maintain and enhance global solutions for the digital certificate area ensuring high availability and disaster recovery.
• Knowledge of PKI Standards including X.509, CP/CPS, CA/Browser Forum Baseline Requirements.

Job Tags

Similar Jobs