Systems Administration, Advisor

Job Summary

We are seeking a hands-on PKI Engineer to provide day‑to‑day operations, maintenance, and lifecycle management of our enterprise PKI services. This role ensures the integrity, availability, and compliance of cryptographic services that underpin PIV badge issuance and validation, YubiKey authentication, SSL/TLS certificate management, and Entrust Certificate Authority (CA) platforms.

Key Responsibilities

Operations & Maintenance

• Operate and maintain enterprise PKI components: root and issuing CAs, Registration Authorities, OCSP responders, CRL distribution points, and associated directory services (e.g., AD/LDAP).
• Perform routine health checks, capacity planning, patching, and disaster recovery testing for PKI infrastructure.
• Monitor certificate lifecycles (issuance, renewal, revocation) and SLAs; resolve certificate-related incidents and service requests.
• Administer and support Entrust PKI platforms (e.g., Security Manager/CA), including policy configuration, profiles, and integration with downstream systems.
• Manage SSL/TLS for internal and external services (web apps, APIs, load balancers, proxies), including naming, SAN management, cipher suite alignment, and automated renewals (e.g., ACME/EST/SCEP).
• Support PIV credential operations (card issuance, certificate personalization, revocation, and validation services) and YubiKey lifecycle tasks (enrollment, attestation, firmware considerations, and policy profiles).

Security, Compliance & Governance

• Enforce PKI policy (CP/CPS), key management procedures, and secure key ceremonies aligned with organizational and regulatory requirements (e.g., FIPS 140-2/3 for HSMs, FIPS 201 for PIV, NIST guidance).
• Maintain comprehensive documentation: system runbooks, SOPs, CP/CPS updates, architectural diagrams, data flows, and audit artifacts.
• Partner with Audit/Compliance to support assessments, evidence collection, control testing, and remediation (e.g., NIST 800-53 control families, certificate governance).
• Implement segmentation and access controls for PKI components; manage privileged access and break‑glass procedures.
• Track and remediate vulnerabilities affecting PKI (CAs, cryptographic libraries, protocol configurations).

Engineering & Automation

• Build and maintain automation for certificate issuance/renewal, inventory, and reporting (e.g., PowerShell, Python, REST APIs, Ansible).
• Integrate PKI with identity platforms and authentication flows (e.g., smart card/PIV login, YubiKey-based MFA, SSO, federation).
• Advise application teams on certificate requirements (key types, key sizes, curves, CSP/KSP settings), mTLS patterns, and mutual trust establishment.
• Lead PKI service improvements: scaling, high availability, telemetry/observability, and performance tuning.
• Evaluate and implement modern cryptographic practices (e.g., SHA-2/3, ECC, post-quantum readiness planning as appropriate).

Collaboration & Support

• Serve as the PKI SME for projects and incident response; provide Tier 3 support and root cause analysis.
• Coordinate with vendors (e.g., Entrust) for platform upgrades, troubleshooting, and feature enablement.
• Train and mentor engineers/administrators on PKI operations, certificate hygiene, and secure usage patterns.

• Minimum of 8 years with BS/BA; Minimum of 6 years with MS/MA; Minimum of 3 years with PhD, 12 years with a HS Diploma
• 5–8+ years of experience in enterprise security/identity engineering, with 3+ years directly operating PKI/CA systems.
• Hands-on expertise with Entrust CA platforms (or equivalent enterprise CA, OCSP/CRL, and directory services (AD/LDAP).
• Strong knowledge of X.509, certificate profiles, key algorithms (RSA/ECC), key escrow, key rotation, and cryptographic modules.
• Experience managing SSL/TLS for large environments (web servers, application gateways, load balancers, containers/K8s ingress).
• Operational experience supporting PIV smart cards and YubiKeys in enterprise authentication/MFA scenarios.
• Proficiency in scripting/automation (PowerShell, Python) and working with PKI APIs (ACME/EST/SCEP/REST).
• Familiarity with security frameworks/standards (e.g., FIPS 201, FIPS 140-2/3, NIST SP 800‑53/63, CP/CPS governance).
• Strong troubleshooting skills across Windows/Linux, networking (TLS handshakes, certificate chains, OCSP/CRL reachability), and application integrations.
• Excellent documentation, communication, and stakeholder management capabilities.