PKI Engineer

PKI JDSummary~We are looking for a PKI/CLM Engineer with hands-on experience in ADCS, AWS ACM, and Venafi to design, implement, and manage enterprise PKI and Certificate Lifecycle Management services.

The role includes certificate automation, policy enforcement, infrastructure and application integration, and ensuring compliance with security and audit standards.

Required skills include CRL and OCSP maintenance, AWS Key Vault, cloud and hybrid environments, and PowerShell scripting for automation.

Roles Responsibilities~ -Manage enterprise PKI infrastructure including Root and Issuing Certificate.

Responsibilities~ Manage certificate lifecycle activities~ issuance, renewal, revocation, rekey, rollover, and retirement.

Configure and maintain Offline Root CA, Issuing CAs, certificate templates/profiles, and policy constraints.

Manage CRL/OCSP publishing and ensure high availability.

Maintain PKI documentation aligned with standards like CP/CPS, operational runbooks, and SOPs.

Support audits and compliance requirements, including CAB Forum standards.

Manage and monitor PKI/HSM operations end-to-end, including health checks, backups, configurations, and policies.

Implement and maintain processes for managing internal and external certificate lifecycles.

Monitor certificates for expiration, perform timely renewals, and revoke compromised or obsolete certificates.

Possess strong technical expertise in Microsoft Active Directory Certificate Services (ADCS), including OCSP, CRLs, certificate templates, key archival, and NDES/SCEP.

Proficient in scripting and automation, especially PowerShell, with the ability to integrate PKI solutions across platforms such as network devices, load balancers, and Windows/Linux environments.

Have solid understanding of cryptography and encryption standards, including TLS, X.509, RSA/ECC, CSRs, and secure key management with HSMs and TPMs.

Hands-on experience with cloud-based certificate and key management; strong troubleshooting skills; exposure to AWS ACM/PCA, Venafi tools, and relevant security or PKI certifications is advantageous.

Assist with enterprise-wide certificate lifecycle tasks, including requests, issuance, renewal, and revocation.

Maintain and update inventories of machine identities, including certificates, keys, and service credentials.

Assist in identifying orphaned, expired, or misconfigured machine identities.

Monitor adherence to governance controls and escalate exceptions or risks.

Maintain accurate certificate inventory records, including ownership, purpose, and expiration dates.

Identify and report at-risk certificates, including expired, soon-to-expire, weak cryptography, or unknown owners.

Assist with certificate issuance requests and validate required information.

Demonstrate experience managing enterprise-scale PKI environments across on-premises and cloud platforms, including lifecycle management and automation (e.g., Venafi Trust Protection Platform).

Possess strong technical expertise in Microsoft Active Directory Certificate Services (ADCS), including OCSP, CRLs, certificate templates, key archival, and NDES/SCEP.

Knowledge of AD, DNS, IAM operations, and CyberArk Privilege Cloud is beneficial.

Required Skills~ Microsoft ADCS SCEP AWS PCA Venafi HSM & Encryption PKI & Certificate Management.

AD (Good to have) CyberArk (Good to have)#MatchpointWe may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses.

These tools assist our recruitment team but do not replace human judgment.

Final hiring decisions are ultimately made by humans.

If you would like more information about how your data is processed, please contact us.