PKI and SSH Engineer
Location: 100% remote role. Preference is east coast or flexibility to work EST hours to collaborate with UK and Peru Teams.
Duration: Long term role with extension and potential to convert to FTE if it is the right fit.
Pay: $90-$110 /hr based on experience
Role Overview
We are seeking an experienced PKI and SSH Engineer to strengthen and accelerate delivery across our Cryptography, Identity, and Secure Access workstreams.
The successful candidate will be expected to contribute across the following disciplines:
• Public Key Infrastructure (PKI) Architecture & Engineering
• SSH Certificate Authority & Key Management
• Certificate Lifecycle Management & Automation
• Applied Cryptography & Crypto Agility.
• Secure Systems Engineering and Cloud Security
• Trust Services for Cloud & Container Platforms
• Threat Modelling, Compliance, Standards, and Governance
You will design, build, and operate PKI and SSH trust services using Venafi PKI/CLM, Venafi SSH Manager (Venafi Trust Protection Platform), OpenSSH, Azure Key Vault, Kubernetes, and AWS KMS.
You will support Lines of Business integrate their applications and infrastructure to these services and automate certificate lifecycle management, and ensure consistent enforcement of certificates, keys, and SSH policies across cloud platforms, applications, infrastructure, and data workloads.
This is a hands-on engineering role requiring deep technical expertise in PKI, SSH, secure access patterns, and cryptographic controls — along with the ability to work collaboratively across security, cloud, engineering, infrastructure, and internal audit teams to ensure our trust services are robust, scalable, compliant, and agile.
Key Responsibilities:
1. PKI, SSH & Cryptographic Engineering
• Design, implement, and operate enterprise PKI services using Venafi PKI/CLM and associated CA/HSM integrations.
• Design and manage Venafi SSH Manager and implement modern SSH CA workflows for short lived user, host, and workload SSH certificates.
• Integrate PKI /CLM services with a variety of services/protocols including:
§ Azure Key Vault (and other CSP KMS) for certificate storage and workload identity
§ Intune / SCEP, Active Directory, Wi-Fi EAP-TLS / Radius
§ Kubernetes certificate and trust patterns (service mesh, workload identity, SPIFFE/SPIRE compatible models)
§ Various Pipeline / IaC tools and templates, including Terraform.
• Engineer secure certificate issuance, renewal, rotation, and revocation, including fully automated CA and CLM workflows.
• Support rollout of certificate based access controls across platforms, applications, and APIs.
2. Architecture Alignment & Delivery Support
• Collaborate with PKI, SSH, and cryptography architects to translate high level trust and cryptographic patterns into detailed engineering designs.
• Design secure trust controls for certificate issuance, key protection, certificate validation, OCSP/CRL management, and SSH certificate workflows.
3. DevSecOps Integration
• Embed certificate, SSH, and key governance into CI/CD systems, including automatic issuance and renewal pipelines.
• Build automation and tooling to streamline platform integration with Venafi PKI/CLM, Venafi SSH Manager, and cloud KMS services.
• Conduct PKI/SSH assessments, identify vulnerabilities or misconfigurations, and recommend remediation.
• Develop scalable key and certificate patterns (short lived certificates, key rotation, envelope encryption, secure provisioning).
• Integrate PKI and SSH trust services with applications running on Kubernetes, hybrid cloud, and multi cloud environments.
4. Technical Expertise, Troubleshooting & Stakeholder Support
• Provide engineering guidance to platform, cloud, application development, infrastructure, and cyber security teams.
• Function as subject-matter expert for PKI, SSH CA models, CA hierarchies, trust chains, key usage, ciphers, and protocol behaviours.
• Troubleshoot certificate and SSH trust issues including OCSP failures, CA chain problems, TLS handshake issues, mTLS auth errors, key mismanagement, and SSH CA misconfiguration.
• Support internal audit, risk, and compliance with evidence, design documentation, and deep dive technical insight.
5. Governance, Standards & Risk Management
• Maintain engineering documentation, trust models, DLDs, runbooks, and operational processes.
• Ensure PKI, SSH, and certificate lifecycle operations remain audit ready with appropriate evidence and process controls.
• Contribute to trust, PKI, SSH, and Cryptographic Standards & Policies, ensuring consistent adoption across platforms.
Essential Skills & Experience
• Extensive hands-on experience as a PKI Engineer, SSH Engineer, operating Venafi PKI, CLM and Venafi SSH Manager (Trust Protection Platform) in an enterprise environment.
• Strong understanding of CA hierarchies, certificate chains, X.509, CRLs, OCSP, mTLS, and TLS configurations.
• Experience integrating PKI/SSH services with Azure Key Vault, AWS KMS, OpenSSH, Kubernetes and service mesh certificate architectures (mTLS, SPIFFE/SPIRE style identities).
• Proficiency with scripting and automation (Python, PowerShell, Bash, Go, JSON) and IaC tools (Azure DevOps, Terraform, Ansible).
• Experience modernising TLS certificate and SSH key management processes, uplifting protocol versions, and improving trust configurations.
• Knowledge SSH tooling, including OpenSSL, OpenSSH, and Cloud Provider TLS/CA integrations and KMS APIs.
• Proven ability to produce high-quality low-level designs and operational documentation.
Desirable Experience
• Minimum 5-8 years experience
• Experience migrating from long-lived SSH keys to SSH CA certificate based authentication.
• Experience implementing workload identity across cloud platforms using certificates or cloud KMS.
• Strong understanding of NIST/FIPS standards and relevant IETF RFCs for PKI, TLS, and SSH.
• Experience working within regulated industries (e.g., financial services, healthcare, public sector).
• Knowledge of crypto-agility strategies, and CA agility patterns.
#LI-GD1
#LI-Remote
