PKI Lead Engineer

The PKI Lead Engineer serves as the senior technical authority for the design, implementation, and sustainment of enterprise Public Key Infrastructure services that enable secure authentication, encryption, and digital signatures across the client's IT environment. This role leads the lifecycle management of digital certificates and cryptographic keys, ensuring resilient, compliant, and well-governed PKI capabilities that protect sensitive information and support mission critical access control.

Key Responsibilities

• Lead the design, implementation, and ongoing operations of enterprise PKI infrastructures, including root and subordinate certificate authorities, registration authorities, and associated hardware and software components.

• Manage the full lifecycle of digital certificates and cryptographic keys for users, devices, applications, and services, including issuance, renewal, suspension, and revocation with strong controls and automation.

• Develop, document, and enforce PKI policies, certification practice statements, standards, and procedures aligned to enterprise security and regulatory requirements.

• Integrate PKI services with identity and access management platforms, directory services, network security controls, and secure application architectures to enable strong authentication and encryption.

• Monitor, audit, and assess PKI infrastructure health and compliance, performing regular reviews, root cause analyses, and remediation activities to maintain high availability and integrity.

• Lead the evaluation, selection, and implementation of PKI related tools, including certificate discovery, management, and automation solutions, and recommend improvements to strengthen cryptographic services.

• Collaborate with security operations and application teams to analyze and respond to PKI related incidents, vulnerabilities, and findings, including support for penetration testing and secure code initiatives.

• Provide expert guidance, training, and mentoring to engineers and developers on PKI usage, certificate management best practices, and secure cryptographic design patterns in enterprise environments.

Required Qualifications

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, Engineering, or related technical discipline, or equivalent relevant experience.

• Minimum of 8 years of experience in cybersecurity, security engineering, or network security roles, including significant hands-on exposure to PKI or cryptographic services.

• Demonstrated experience designing, implementing, and operating enterprise PKI solutions, including certificate authorities, key management, and certificate lifecycle workflows.

• Strong knowledge of authentication, authorization, and encryption concepts, including TLS, digital signatures, certificate based access control, and related standards (for example, X.509, OCSP, CRL).

• Ability to obtain and maintain a Public Trust investigation, with US citizenship required in support of federal client requirements.

• Proficiency with Unix/Linux or similar operating systems and enterprise infrastructure environments used to host PKI and security services.

• Candidates must possess a current secret security clearance.

Preferred Qualifications

• Advanced cybersecurity certifications such as CISSP, CISM, CISA, or CRISC demonstrating broad security architecture and governance expertise.

• Experience integrating PKI with identity and access management platforms, federated identity standards (for example, SAML), and role based access control models in large enterprises.

• Background supporting PKI and cryptographic services in complex federal or regulated IT environments with rigorous compliance requirements.

• Handson experience with certificate discovery and management tools, hardware security modules, and automation frameworks for largescale certificate deployment.

• Familiarity with secure software development practices, application security testing, and remediation of cryptographic vulnerabilities across web and service architectures.

• Prior experience leading small technical teams or serving as a subject matter expert for enterprise security initiatives.

Job-Specific Skills

• Enterprise PKI Architecture â?¯-- Designs and documents scalable PKI architectures, including root hierarchy, trust models, and integration patterns with enterprise systems.

• Certificate Lifecycle Management â?¯-- Establishes and operates repeatable processes and automation for issuing, renewing, and revoking certificates for diverse identities and workloads.

• Cryptographic Standards Expertise â?¯-- Applies industry cryptographic standards and algorithms to ensure strong encryption, signing, and key management practices in enterprise solutions.

• Policy and Governance Development â?¯-- Authors and maintains PKI policies, standards, and certification practice statements, aligning them with organizational risk and compliance needs.

• Security Integration Engineering â?¯-- Integrates PKI with identity, access management, network devices, and applications to enable secure, certificate based controls.

• PKI Monitoring and Audit â?¯-- Implements monitoring, logging, and audit processes that provide visibility into PKI operations and support internal and external assessments.

• Incident Response for PKI â?¯-- Leads investigation and remediation of PKI related incidents, including mis-issued certificates, key compromise, and cryptographic vulnerabilities.

• Automation and Tooling â?¯-- Leverages scripting, configuration management, and PKI toolsets to streamline certificate issuance, enrollment, and inventory management.

• Cross Functional Collaboration â?¯-- Works closely with security, infrastructure, application, and operations teams to align PKI capabilities with enterprise objectives and constraints.

• Technical Mentorship â?¯-- Coaches junior engineers and developers on PKI concepts, secure implementation patterns, and operational best practices to uplift team capability.

Preferred Skills

• Experience engineering PKI solutions in hybrid cloud and on premises environments, including integration with major cloud providers' identity and key management services.

• Advanced scripting or automation capability (for example, PowerShell, Python, or similar) used to integrate PKI workflows with enterprise tooling and CI/CD pipelines.

• Familiarity with certificate based network access control, VPN, and device authentication architectures in large, distributed environments.

• Experience conducting PKI focused security assessments, including configuration reviews, key protection evaluations, and readiness for external compliance audits.

Compensation Ranges

Compensation ranges for ASM Research positions vary depending on multiple factors; including but not limited to, location, skill set, level of education, certifications, client requirements, contract-specific affordability, government clearance and investigation level, and years of experience. The compensation displayed for this role is a general guideline based on these factors and is unique to each role. Monetary compensation is one component of ASM's overall compensation and benefits package for employees.

EEO Requirements

It is the policy of ASM that an individual's race, color, religion, sex, disability, age, sexual orientation or national origin are not and will not be considered in any personnel or management decisions. We affirm our commitment to these fundamental policies.

All recruiting, hiring, training, and promoting for all job classifications is done without regard to race, color, religion, sex, disability, or age. All decisions on employment are made to abide by the principle of equal employment.

Physical Requirements

The physical requirements described in "Knowledge, Skills and Abilities" above are representative of those which must be met by an employee to successfully perform the primary functions of this job. (For example, "light office duties' or "lifting up to 50 pounds" or "some travel" required.) Reasonable accommodations may be made to enable individuals with qualifying disabilities, who are otherwise qualified, to perform the primary functions.

Disclaimer

The preceding job description has been designed to indicate the general nature and level of work performed by employees within this classification. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to this job.

$122,900 - 150,000

EEO Requirements

It is the policy of ASM that an individual's race, color, religion, sex, disability, age, gender identity, veteran status, sexual orientation or national origin are not and will not be considered in any personnel or management decisions. We affirm our commitment to these fundamental policies.

All recruiting, hiring, training, and promoting for all job classifications is done without regard to race, color, religion, sex, veteran status, disability, gender identity, or age. All decisions on employment are made to abide by the principle of equal employment.