Jobtitel: 75% remote: PKI Engineer (w/m/d) for Cloud Platform
Vertragsart: Interim / Project Consulting
Arbeitszeitmodel: Vollzeit
Zahlungsintervall: Stündlich
Lohnsatz: Verhandelbar
Ort: Remote, Berlin
Job veröffentlicht: 12-09-2025
Job-ID: 56155
Name: Niklas Machens
Telefonnummer: +4915119501867
E-Mail: niklas.machens@nemensis.de

Stellenbeschreibung

For our client we are looking for a PKI Engineer (w/m/d) for Cloud Platform.
 
Start: 20.10.2025
Duration: 3 months, + wish for a long-term prolongation
Capacity: 80-100%
Location: 75% Remote, 25% Berlin (1 week Berlin / 3 weeks remote in rotation), up to 50% onsite in peak times
Language: English is a must, German is a plus
Budget: 80,00 EUR net
 
Role:
The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment.
 
Objectives & Tasks:
- PKI Design and Architecture evaluation
• Consulting with architecture on enterprise-grade PKI solutions (root CA, subordinate CAs, OCSP responders, CRLs, HSM integration).
• Conceptualization of design and providing ownership of PKI hierarchy (offline root, intermediates, issuing CAs)
- Deployment & Configuration.
• Installation and configuration pf Certificate Authorities (Microsoft AD CS, EJBCA, Entrust, DigiCert, etc.).
• Implementation Hardware Security Modules (HSMs) for key protection.
• Implementation of ACME v2 automation, EST for devices, revocation (OCSP/CRL/stapling).
• Setting up of enrollment services, auto-enrollment (e.g., Windows GPO, SCEP, EST).
• Configuration of certificate templates and enrollment workflows.
• Integration PKI with Active Directory and enterprise IT systems.
• Operation of Thales Luna HSMs (FIPS 140-3, partitions, quorum, HA/DR).
- Integration & Support
• Configuration of TLS/SSL for web servers, load balancers, APIs, and cloud services.
• Integration of PKI with endpoints, VPNs, Wi-Fi, and mobile devices.
• Providing definitions for RA model and Keycloak OIDC integration.
• Configuration of authentication systems (smart cards, Windows logon, S/MIME, code signing).
• Consulting of DevOps for certificate automation (HashiCorp Vault, Venafi, Certbot, ACME).
• Give recommendations and provide integration of PKI with cloud providers (Google Cloud KMS) and On Prem
components.
- Operations, Monitoring & Lifecycle Management
• Management of certificate issuance, renewal, suspension, and revocation.
- Security & Compliance
• Performing of strong key management practices namely FIPS 140-2/3, NIST, PCI-DSS compliance.
• Performing of audits of PKI operations and certificate usage.
• Implementation of a role-based access controls (RBAC) for PKI administrators.
• Management of compliance with corporate security policies and industry standards (eIDAS, WebTrust, CAB Forum
Baseline Requirements).
• Management of Certificate Policy (CP) and Certificate Practice Statement (CPS) documents
- Automation & Modernization
• Execution of certificate lifecycle automation tools (Venafi, AppViewX, Sectigo CLM).
• Execution and run DevSecOps practices (certs in CI/CD pipelines, containerized workloads).
• Validation and management of post-quantum cryptography readiness.
• Migration of legacy PKI to modern architectures (cloud-native PKI, Zero Trust identity models).
 
Skills (must-have):
- Cryptography Fundamentals – Experienced at managing Public/private key concepts, symmetric vs. asymmetric crypto, digital signatures, hashing (SHA-2, SHA-3), ECC vs. RSA, key lifecycles.
- PKI Architecture – Experience at handling Root vs. Subordinate CA hierarchy, trust chains, cross-certification, bridge CA, offline vs. online CA; Vault PKI engine (enterprise-level).
- Experience with Hardware Security Modules (HSMs) for key protection, CRL/OCSP configuration, and integration of certificates with common enterprise services (TLS for web servers, VPNs, Wi-Fi, S/MIME, and code signing).
- Standards & Protocols – Experience with X.509, PKCS standards (PKCS#7, #10, #11, #12), TLS/SSL, S/MIME, Kerberos, OCSP, ACME, EST, SCEP, certificate lifecycle, revocation methods.
- Key Management – Experience with Key generation, protection (HSM), backup/recovery, rotation, FIPS 140-2/3 requirements, NIST, ETSI, ISO standards; strong HSM expertise (Thales Luna preferred)
- Compliance & Governance – Well versed with Certificate Policy (CP), Certificate Practice Statement (CPS), CAB Forum BRs, WebTrust, eIDAS, GDPR implications.
- Experience in designing and operating subordinate CA infrastructures under a root CA.. Must be skilled in scripting (typically PowerShell or Python) to automate routine PKI tasks, monitor certificate expiry, and streamline renewals.
- Experience in deploying and managing enterprise CAs (such as Microsoft AD CS, EJBCA, or Entrust), configuring certificate templates along with enabling auto-enrollment through Active Directory.
 
Skills (should-have):
- Experience with cloud services and their configuration
- Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends
- Fluent in German
- Working with Scrum and general experience in agile frameworks