PKI Engineer

ESSENTIAL FUNCTIONS:

• Manage internal Certificate Authority (Active Directory Certificate Services) including, but not limited to, certificate templates, issuing and revocation of internal certificates, PKI administration, automated certificate issuance for server certificates, client certificates, SMIME certificates, and Code Signing certificates. 
• Maintain Certificate Revocation List (CRL) distribution servers critical to the entire enterprise environment.  Maintain NDES/SCEP protocol servers critical to certificate distribution for corporate Apple/Mac workstations.  Manage external Certificate Authority (DigiCert CA) including issuing and revocation of externally signed certificates, and Domain Control Validation (DCV) process.
• Knowledge of PKI and security-related concepts, with some experience in administration and configuration of certificate configurations on Windows and Linux OS, along with other platforms in the organization.
• Familiarity with configuration and management of HSMs used to secure private keys.
• Troubleshooting certificate configuration and TLS issues.
• Experience with Certificate Management solutions including Venafi, API integrations with Venafi, alerting and automation, and integrations with various other software solutions for certificate issuance and monitoring.
• Supporting multiple software, middleware, or hardware projects requiring authentication or backend communications between internal business lines, or between company and external third parties including Cloud environments (Azure, AWS, GCP).
• Provide necessary mentoring and training to all certificate owners regarding maintaining certificate security and industry level best practices.
• This position needs to keep up to date with the latest change in certificate regulations set by Certificate Authority and Browser (CA/B) Forum.
• Identify and manage all server (machine) SSH keys on an enterprise level and scope a multi-year project to replace these never expiring credentials with short-lived SSH certificates. .
• Maintain the life cycle, manage alerting, and potential automation of certificates used by machines.
• Design, document, and implement operating procedures that include systematic processes and delegation for the machine identity lifecycle and maintenance tasks.

SPECIFICATIONS:

Working knowledge of authentication and authorization through multifactor (MFA), Mutual TLS (mTLS), single sign-on (SSO), and LDAP/Kerberos integrations using certificates. Working knowledge of Windows PowerShell scripting used for certificate automation and processing.

Strong proficiency in cryptography, cryptographic standards, risk base compliance, and zero-trust. Knowledge of x509 standards as it relates to digital certificates, SSH keys, and PKI administration.

Preferred Bachelor’s degree in Information Technology/Security, and/or 4-6 years of equivalent work experience (Helpdesk, System Administration, Middleware) with a minimum of 1-3 years of experience as it relates to PKI administration, certificate management using Venafi, with working knowledge of mTLS, SSO, LDAP/Kerberos integrations or equivalent knowledge/experience.

Machine Identity Management goes beyond a solid understanding of Public Key Infrastructure (PKI) administration – which is a basic requirement.  This is the next level knowledge or evolution of the inner workings of Machine Identities including, but not limited, to SSH keys, SSH certificates, JWT,JWE, SPIFEE,SPIRE, and other forms of machine identity and access controls. This role utilizes certificates for communication, authentication, or authorization in order to successfully execute in this position.  

Working knowledge of hardware, OS, software, middleware, and applications that utilize certificates for communication, authentication, or authorization.  Ability to work projects with some supervision or assistance.  Ability to learn new functionality and processes with assistance from Sr. Engineers and or training materials or resources. Preferred Bachelor’s degree in Information Technology/Security, and/or 4-6 years of equivalent work experience (Helpdesk, System Administration, Middleware) and an additional 1 – 3 years of experience as it relates to PKI administration, certificate management using Venafi, with working knowledge of ADCS, mTLS, SSO, LDAP/Kerberos integrations or equivalent knowledge/experience.