PKI Engineer

PKI Engineer

We are currently recruiting for a PKI Engineer to join one of our Insurance clients on a 6-month contract

Inside IR35

Hybrid

Responsibilities:

• Design, implement, and operate enterprise PKI services using Venafi PKI/CLM and associated CA/HSM integrations.
• Design and manage Venafi SSH Manager and implement modern SSH CA workflows for short lived user, host, and workload SSH certificates.
• Azure Key Vault (and other CSP KMS) for certificate storage and workload identity
• Intune / SCEP, Active Directory, Wi-Fi EAP-TLS / Radius
• Kubernetes certificate and trust patterns (service mesh, workload identity, SPIFFE/SPIRE compatible models)
• Design secure trust controls for certificate issuance, key protection, certificate validation, OCSP/CRL management, and SSH certificate workflows.
• Embed certificate, SSH, and key governance into CI/CD systems, including automatic issuance and renewal pipelines.
• Build automation and tooling to streamline platform integration with Venafi PKI/CLM, Venafi SSH Manager, and cloud KMS services.
• Conduct PKI/SSH assessments, identify vulnerabilities or misconfigurations, and recommend remediation.
• Develop scalable key and certificate patterns (short lived certificates, key rotation, envelope encryption, secure provisioning).
• Integrate PKI and SSH trust services with applications running on Kubernetes, hybrid cloud, and multi
• Maintain engineering documentation, trust models, DLDs, runbooks, and operational processes.

Experience

• Extensive hands-on experience as a PKI Engineer, SSH Engineer, operating Venafi PKI, CLM and Venafi SSH Manager (Trust Protection Platform) in an enterprise environment.
• Strong understanding of CA hierarchies, certificate chains, X.509, CRLs, OCSP, mTLS, and TLS configurations.
• Experience integrating PKI/SSH services with Azure Key Vault, AWS KMS, OpenSSH, Kubernetes and service mesh certificate architectures (mTLS, SPIFFE/SPIRE style identities).
• Proficiency with scripting and automation (Python, PowerShell, Bash, Go, JSON) and IaC tools (Azure DevOps, Terraform, Ansible).
• Experience modernising TLS certificate and SSH key management processes, uplifting protocol versions, and improving trust configurations.
• Knowledge SSH tooling, including OpenSSL, OpenSSH, and Cloud Provider TLS/CA integrations and KMS APIs.
• Experience migrating from long-lived SSH keys to SSH CA certificate based authentication.
• Experience implementing workload identity across cloud platforms using certificates or cloud KMS.
• Strong understanding of NIST/FIPS standards and relevant IETF RFCs for PKI, TLS, and SSH.
• Knowledge of crypto-agility strategies, and CA agility patterns.

Guidant, Carbon60, Lorien & SRG - The Impellam Group Portfolio are acting as an Employment Business in relation to this vacancy.