For our client we are looking for a PKI / Secrets Management QA Engineer (f/m/d).

 

Start: 20.10.2025

Duration: 3 months, + wish for a long-term prolongation

Capacity: 80-100%

Location: 75% Remote, 25% Berlin (1 week Berlin / 3 weeks remote in rotation), up to 50% onsite in peak times

Language: English is a must, German is a plus

Budget: 80,00 EUR net

 

Role:

The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment.

 

Objectives:

- Core Vault Knowledge

• Vault concepts: Validate vault activities namely init/unseal, tokens, leases, policies, secrets engines.

• Test Vault fundamentals: init/unseal, tokens, policies, secrets engines.

• Validate secrets lifecycle, PKI workflows, RA policies, and revocation.

• Automate tests using CLI, REST API, SDKs (Python, Go, Java) in CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI).

• Test the certificate issuance, expiry, revocation, and renewal workflows.

- Testing & Validation:

• Give recommendations and write test cases for:

o Secrets lifecycle (creation, lease renewal, revocation).

o PKI workflows (CSR submission, certificate issuance, CRL checks, revocation).

o Authentication methods (AppRole, LDAP, Kubernetes, OIDC).

o Validating access policies (ACLs) — ensuring least privilege is enforced.

• Regression testing for Vault upgrades and policy changes.

• Fault injection testing: unseal/reseal, token expiration, expired certificates

- Automation & Scripting

• Creation of automated test scripts by using of Vault CLI, REST API, and SDKs (Python, Go, or Java).

• Integration of Vault test cases into CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins).

• Scripting - Python, Bash, PowerShell for automating secrets/PKI validation tests

- PKI-Specific Testing

• Validating of certificate chains, trust anchors, and expiry alerts.

• Testing automated certificate issuance and renewal flows (short-lived certs).

• Simulation of edge cases: revoked certs, expired intermediates, misconfigured chains.

• Use tools like OpenSSL, certutil, or Wireshark to debug TLS/PKI issues

- Integration Testing

• Performing integration testing of the following categories

o Kubernetes sidecars and Vault Agent templates.

o Dynamic DB credentials.

o TLS cert rotation in load balancers, web servers, and APIs.

o Keycloak federation (OIDC/SAML) flows.

• Conducting browser-based tests using Playwright or Selenium for IAM/SSO validation

- Security & Compliance Validation

• Performing of reviews of hardcoded secrets, audit logging, RBAC/MFA enforcement, FIPS/PCI-DSS alignment

• Verifying of audit logs (Vault audit devices, syslog) capture critical events.

• Testing RBAC enforcement and MFA requirements in auth flows.

• Performing compliance reviews with standards (FIPS 140-2/3 for crypto, PCI-DSS secret handling requirements)

- Monitoring & Troubleshooting

• Validation of deployments are to ensure reliability, security and compliance by covering both functional testing

(PKI/Secrets) and integration testing (IAM federation, CI/CD pipelines, HA/DR).

• Monitoring Vault telemetry, logs, and SIEM outputs; debug failures across Vault/PKI/Keycloak.

• Ensure HA/DR failover testing is automated and repeatable.

• Add coverage for multi-tenant and RA delegation scenarios.

 

Skills (must-have):

- Experience with testing Vault fundamentals and PKI workflows.

- Expertise with test automation frameworks for services, APIs, IAM.

- Strong experience with scripting and automation: Python, Go, Bash, PowerShell.

- Expertise with PKI/SSL debug tools: OpenSSL, certutil, Wireshark.

- Strongly skilled with CI/CD integration: Jenkins, GitHub Actions, GitLab CI.

- Experience with Secrets and compliance testing: audit logs, RBAC/MFA, standards validation.

- Experienced with browser-based automation: Playwright or Selenium.

- Experienced as a quality gate for PKI, Vault, and IAM services.

- Good knowledge of how Vault integrates with apps (via API the Vault Agent and sidecar injector)

 

Skills (should-have):

- Experience with cloud services and their configuration

- Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends and performance testing

- Fluent in German

- Familiarity with HA/DR scenarios in PKI/Secrets/IAM.

- Working with Scrum and general experience in agile frameworks