PKI Engineer

PKI Engineer We are currently recruiting for a PKI Engineer to join one of our Insurance clients on a 6-month contract Inside IR35 Hybrid Responsibilities: Design, implement, and operate enterprise PKI services using Venafi PKI/CLM and associated CA/HSM integrations. Design and manage Venafi SSH Manager and implement modern SSH CA workflows for short lived user, host, and workload SSH certificates. Azure Key Vault (and other CSP KMS) for certificate storage and workload identity Intune/SCEP, Active Directory, Wi-Fi EAP-TLS/Radius Kubernetes certificate and trust patterns (service mesh, workload identity, SPIFFE/SPIRE compatible models) Design secure trust controls for certificate issuance, key protection, certificate validation, OCSP/CRL management, and SSH certificate workflows. Embed certificate, SSH, and key governance into CI/CD systems, including automatic issuance and renewal pipelines. Build automation and tooling to streamline platform integration with Venafi PKI/CLM, Venafi SSH Manager, and cloud KMS services. Conduct PKI/SSH assessments, identify vulnerabilities or misconfigurations, and recommend remediation. Develop scalable key and certificate patterns (short lived certificates, key rotation, envelope encryption, secure provisioning). Integrate PKI and SSH trust services with applications running on Kubernetes, hybrid cloud, and multi Maintain engineering documentation, trust models, DLDs, runbooks, and operational processes. Experience Extensive hands-on experience as a PKI Engineer, SSH Engineer, operating Venafi PKI, CLM and Venafi SSH Manager (Trust Protection Platform) in an enterprise environment. Strong understanding of CA hierarchies, certificate chains, X.509, CRLs, OCSP, mTLS, and TLS configurations. Experience integrating PKI/SSH services with Azure Key Vault, AWS KMS, OpenSSH, Kubernetes and service mesh certificate architectures (mTLS, SPIFFE/SPIRE style identities). Proficiency with Scripting and automation (Python, PowerShell, Bash, Go, JSON) and IaC tools (Azure DevOps, Terraform, Ansible). Experience modernising TLS certificate and SSH key management processes, uplifting protocol versions, and improving trust configurations. Knowledge SSH tooling, including OpenSSL, OpenSSH, and Cloud Provider TLS/CA integrations and KMS APIs. Experience migrating from long-lived SSH keys to SSH CA certificate based authentication. Experience implementing workload identity across cloud platforms using certificates or cloud KMS. Strong understanding of NIST/FIPS standards and relevant IETF RFCs for PKI, TLS, and SSH. Knowledge of crypto-agility strategies, and CA agility patterns. Guidant, Carbon60, Lorien & SRG - The Impellam Group Portfolio are acting as an Employment Business in relation to this vacancy.