Senior PKI Engineer

Position Summary

The Senior PKI Engineer is responsible for designing, implementing, securing, and maintaining enterprise Public Key Infrastructure (PKI) services that support mission-critical authentication, encryption, digital signature, and certificate lifecycle operations. This role requires a general understanding of PIV implementation in the government space.

• Administer enterprise PKI systems, including Certificate Authorities (CAs), Online Certificate Status Protocol (OCSP) responders, Hardware Security Modules (HSMs), and certificate lifecycle service products.
• Deep understanding and application of PKCS standards.
• Implement PKI in hybrid or cloud-based environments such as Azure, AWS, and Google Cloud Platform (GCP).
• Manage and configure Microsoft Active Directory Certificate Services (ADCS).

• Support the automation of certificate issuance, renewal, monitoring, and compliance reporting processes.

• Provide Tier III support for PKI, certificate-based authentication, TLS/SSL, smart cards, and identity management systems.
• Troubleshoot issues such as certificate chain validation, revocation, OCSP/CRL failures, and integration challenges.
• Ensure high availability, redundancy, and disaster recovery readiness for PKI services.

• Support for post-quantum cryptography (PQC) transitions and compliance with emerging NIST standards.
• Integrate cost-efficient open-source cryptographic libraries and JRE/JDK solutions.
• Support zero-trust architecture strategies and cloud migration efforts.
• Explore and evaluate new technologies to enhance scalability, automation, and security.

• Education: Bachelor’s degree in Computer Science, Cybersecurity, Engineering, or equivalent experience.
• Experience:
  • 7+ years of hands‑on experience in PKI engineering, certificate services, and cryptographic system management.
  • Deep expertise with:
    • Microsoft Active Directory Certificate Services (ADCS)
    • Various HSMs (Thales, Safe Net, AWS Cloud
      
      HSM, etc.)
    • OCSP/CRL infrastructure
    • TLS/SSL, S/MIME, and device certificates
    • Smart card and PIV/CAC authentication systems
  • Strong understanding of:
    • NIST standards (e.g., SP 800-57, 800-131A, 800-63)
    • FIPS 140-2/3 compliance
    • Cryptography and key algorithms (X.509, ASN.
      1, RSA/ECC/PQC)
  • Proficiency in scripting/automation via Power Shell, Python, or Bash.
  • Background in solving vulnerability management challenges and addressing POA&M items.
  • Expertise in leading key ceremonies and managing cryptographic material securely.
• Technical
  
  Skills:
  
  
  • Proficiency in networking, firewall rule implementations, and TLS/SSL troubleshooting.
  • In-depth knowledge of Windows environments, including certificate installation for CAPI and diverse applications/appliances.
  • Experience in SNMP monitoring, SIEM/syslog tools, and Docker troubleshooting.
  • Familiarity with VPN solutions (e.g., Cisco Secure Client) and NAC protocols like 802.1X.

• Knowledge and experience with PQC migration and NIST PQC algorithm adoption.
• Familiarity with identity and access management (IAM/IAG) platforms, IDMS, and federation systems.
• Hands‑on experience with cloud‑native PKI solutions (e.g., Azure Key Vault, AWS ACM Private CA).
• Relevant certifications, such as:
  • CISSP
  • CCSP
  • Security+
  • Microsoft security certifications
• Experience in high‑assurance or federal agency‑regulated environments.