Senior PKI Engineer

Public Trust: NACI (T1)

Requisition Type: Regular

Your Impact

Own your opportunity to work alongside federal civilian agencies. Make an impact by providing services that help the government ensure the well being and support of U.S. citizens.

Job Description

Position Summary

The Senior PKI Engineer is responsible for designing, implementing, securing, and maintaining enterprise Public Key Infrastructure (PKI) services that support mission-critical authentication, encryption, digital signature, and certificate lifecycle operations. This role requires a general understanding of PIV implementation in the government space.

Key Responsibilities

• Administer enterprise PKI systems, including Certificate Authorities (CAs), Online Certificate Status Protocol (OCSP) responders, Hardware Security Modules (HSMs), and certificate lifecycle service products.
• Deep understanding and application of PKCS standards.
• Implement PKI in hybrid or cloud-based environments such as Azure, AWS, and Google Cloud Platform (GCP).
• Manage and configure Microsoft Active Directory Certificate Services (ADCS).

Automation & Integration

• Support the automation of certificate issuance, renewal, monitoring, and compliance reporting processes.

Operations & Troubleshooting

• Provide Tier III support for PKI, certificate-based authentication, TLS/SSL, smart cards, and identity management systems.
• Troubleshoot issues such as certificate chain validation, revocation, OCSP/CRL failures, and integration challenges.
• Ensure high availability, redundancy, and disaster recovery readiness for PKI services.

Modernization & Emerging Technologies

• Support for post-quantum cryptography (PQC) transitions and compliance with emerging NIST standards.
• Integrate cost-efficient open-source cryptographic libraries and JRE/JDK solutions.
• Support zero-trust architecture strategies and cloud migration efforts.
• Explore and evaluate new technologies to enhance scalability, automation, and security.

Required Qualifications

• Education: Bachelor’s degree in Computer Science, Cybersecurity, Engineering, or equivalent experience.
• Experience:
  • 7+ years of hands-on experience in PKI engineering, certificate services, and cryptographic system management.
  • Deep expertise with:
    • Microsoft Active Directory Certificate Services (ADCS)
    • Various HSMs (Thales, SafeNet, AWS CloudHSM, etc.)
    • OCSP/CRL infrastructure
    • TLS/SSL, S/MIME, and device certificates
    • Smart card and PIV/CAC authentication systems
  • Strong understanding of:
    • NIST standards (e.g., SP 800-57, 800-131A, 800-63)
    • FIPS 140-2/3 compliance
    • Cryptography and key algorithms (X.509, ASN.1, RSA/ECC/PQC)
  • Proficiency in scripting/automation via PowerShell, Python, or Bash.
  • Background in solving vulnerability management challenges and addressing POA&M items.
  • Expertise in leading key ceremonies and managing cryptographic material securely.
• Technical Skills:
  • Proficiency in networking, firewall rule implementations, and TLS/SSL troubleshooting.
  • In-depth knowledge of Windows environments, including certificate installation for CAPI and diverse applications/appliances.
  • Experience in SNMP monitoring, SIEM/syslog tools, and Docker troubleshooting.
  • Familiarity with VPN solutions (e.g., Cisco Secure Client) and NAC protocols like 802.1X.

Preferred Qualifications

• Knowledge and experience with PQC migration and NIST PQC algorithm adoption.
• Familiarity with identity and access management (IAM/IAG) platforms, IDMS, and federation systems.
• Hands-on experience with cloud-native PKI solutions (e.g., Azure Key Vault, AWS ACM Private CA).
• Relevant certifications, such as:
  • CISSP
  • CCSP
  • Security+
  • Microsoft security certifications
• Experience in high-assurance or federal agency-regulated environments.

Work Requirements

Years of Experience

10 + years of related experience

* may vary based on technical training, certification(s), or degree

Certification

Travel Required

None

Citizenship

U.S. Citizenship Required