Qureos

Find The RightJob.

companyLogo
KPMG

Cyber Consultant (contract)

Job Specification : Senior PKI (Public Key Infrastructure) and Cryptography Engineer

Job Overview
  • We are seeking a Senior PKI and Cryptography Engineer to design, implement, and operate enterprise certificate and cryptographic services across our hybrid, multi-cloud environment.
  • The role owns secure, full lifecycle certificate management — discovery, issuance, renewal, rotation, and revocation — and delivers integrations across cloud platforms, endpoints, network and security devices, and application stacks.
  • This is a hands-on role for a self-starter who can scope and deliver complex initiatives independently, automate aggressively to eliminate manual toil, and partner across security, infrastructure, identity, and DevOps teams.
  • You will set cryptographic standards, build the automation that enforces them, and shape a modern PKI program that supports both traditional infrastructure and cloud-native, zero-trust use cases.
  • Act with integrity, professionalism, and personal responsibility to uphold the firm’s respectful and courteous work environment
Key Responsibilities
  • Architect and operate enterprise PKI services, including offline root, policy, and issuing CA tiers with HSM-backed key protection.
  • Implement and manage full certificate lifecycle automation across cloud, on-premises, endpoint, and network domains.
  • Deploy and operate certificate lifecycle management platforms such as Keyfactor and Venafi.
  • Design strong authentication solutions using smart cards, YubiKey, and identity certificates for workforce, privileged users, and machine identities.
  • Define and enforce cryptographic standards and key management policies aligned to NIST, FIPS, and applicable compliance frameworks.
  • Lead incident response and remediation for certificate-related outages or compromise scenarios.
Experience Required
  • 7+ years in cybersecurity or infrastructure engineering, with 4+ years focused on PKI and certificate management in large enterprise environments.
  • Hands-on experience designing and operating multi-tier internal PKI (offline root, policy, issuing CAs) using Microsoft ADCS, EJBCA, or equivalent.
  • Proven experience implementing certificate lifecycle automation via ACME, SCEP, EST, CMP, or REST APIs at scale.
  • Strong experience with smart cards, YubiKey, and identity certificates (PIV, FIDO2/WebAuthn, certificate-based authentication).
  • Experience integrating PKI with AWS, Azure, and GCP, plus endpoints, network devices, load balancers, and MDM platforms.
  • Experience operating HSMs (Thales, Entrust, CloudHSM, Azure Managed HSM) with FIPS-aligned key ceremony and controls.
Preferred
  • Hands-on experience with Keyfactor (Command, EJBCA) and/or Venafi (TLS Protect, Trust Protection Platform).
  • Experience integrating PKI with DevOps toolchains (HashiCorp Vault, cert-manager, service mesh, CI/CD pipelines).
  • Familiarity with regulated environments (NIST, FIPS 140-2/3, PCI-DSS, SOX) and crypto-agility / post-quantum readiness.
  • Bachelor's degree in Computer Science, Information Security, or related discipline; CISSP, CISM, or GIAC certifications a plus.
Skills
  • PKI and Cryptograph y: X.509, RFC 5280, certificate profiles, CRL/OCSP, CA/B Forum baseline requirements; RSA, ECDSA, AES, SHA-2/3, TLS 1.2/1.3, mTLS, S/MIME, code signing.
  • Identity Certificates and Strong Authentication: Smart cards (PIV/CAC), YubiKey (PIV, FIDO2, OpenPGP), Windows Hello for Business, integration with Active Directory, Entra ID, and Okta.
  • Certificate Lifecycle Management : Hands-on with Keyfactor and Venafi preferred, plus ACME, SCEP, EST, CMP, and REST-based enrollment workflows.
  • Cloud and Platform Integration : AWS (ACM, Private CA, KMS), Azure (Key Vault, Managed HSM), GCP (CAS, KMS), Kubernetes cert-manager, and service mesh mTLS.
  • DevOps and Automation : Terraform, Ansible, CI/CD pipelines (Jenkins, GitHub Actions, Azure DevOps), and Git-based workflows.
  • Scripting and Programming: Proficiency in at least one of Python, PowerShell, Go, or Bash for tooling and API integrations.
Professional Skills : Self-starter with strong ownership and the ability to drive initiatives end-to-end

Pay Rate Range

60 - 120 USD hourly

Similar jobs

No similar jobs found

© 2026 Qureos. All rights reserved.

Term of usePrivacy policy