Job Description

Public Key Infrastructure (PKI) Engineer

͏

Key Responsibilities

• Lead the infrastructure protection strategy to create, evolve, and secure internal PKI and credential management security strategy.
• Design, implement, and operate enterprise-grade PKI solutions, including internal and external Certificate Authorities (CAs), Hardware Security Modules (HSMs), and certificate lifecycle management platforms.
• Create design components, develop code, and test changes using test-driven development methodologies.
• Provide subject matter expertise in resolving complex problems related to PKI environment.
• Manage, secure, engineer and provide governance for key and certificate management services, including robust, enterprise-grade PKI, certificate lifecycle management (CLCM), infrastructure automation and credential management (CMS) systems.
• Implement and maintain automated certificate renewal programs; capture use-cases for certificate revocation, enrollment & renewal processes.
• Monitor creation of encryption keys to ensure protection against modification and unauthorized disclosure.
• Define Trust Strategies and understand security and governance requirements for Certification Authorities.
• Architect and manage internal PKI infrastructure including CA, RA, CRL, OCSP, and HSM integrations.
• Design and implement certificate lifecycle automation using ACME protocols, scripting (e.g., PowerShell, Python), and enterprise CLM tools.
• Install and manage certificates across platforms: Windows, Linux/Unix, Apache, Tomcat, Java Keystore, F5, Azure Key Vault.
• Implement digital certificate policies aligned with X.509 standards and CA/Browser Forum baseline requirements.
• Develop and maintain Certificate Policy and Certificate Practice Statements (CP/CPS).
• Provide PKI support for application integrations, including TLS/SSL, S/MIME, 802.1x, Smartcards, and Code Signing.
• Collaborate with IAM, Infrastructure, Security, and Application teams to integrate PKI into broader identity solutions.
• Contribute to change management and documentation using ITSM tools (ServiceNow, Remedy).
• Maintain high availability and disaster recovery readiness for PKI infrastructure.
• Track and report on PKI service metrics, SLAs, KPIs, and KRIs to ensure operational excellence.
• Develop and maintain SOPs, technical documentation, and training materials.

͏

Preferred Skills

• Strong technical knowledge of enterprise PKI operations, cryptographic algorithms (symmetric/asymmetric), digital signatures, with strong understanding of compliance, auditing, and key management.
• Microsoft certifications (e.g., Azure Security Engineer, MCSA).
• Knowledge of CA/B Forum, RFC 5280, RFC 6960 (OCSP).
• Familiarity with containerized environments and Kubernetes certificate management.
• Experience with Active Directory Certificate Services, GlobalSign, Sectigo, DigiCert, Keyfactor, OpenSSL, or other certificate management platforms. Understanding of OCSP, CA, RA, CRL, and BYOK configurations.
• Comprehensive understanding of the PKI/HSM ecosystem, including technology, standards, implementations, and migration strategies.
• Experience with developing scripts for administrative and automation tasks.
• Collaborate with other IT and Operational teams to integrate PKI solutions with existing systems/applications.
• Monitor and troubleshoot PKI related issues.
• Assist and educate users/administrators with certificate enabled applications, such as SSL/TLS, S/MIME, Code Signing, Smartcard, 802.1x, EAP-TLS, etc.
• Drive technical discussions to understand digital certificate services requirements.
• Maintain and enhance global solutions for the digital certificate area ensuring high availability and disaster recovery.
• Knowledge of PKI Standards including X.509, CP/CPS, CA/Browser Forum Baseline Requirements.

͏

Deliver