Location
Denver, CO
Salary
Not specified
Type
fulltime
Posted
Today
Job Description
Client: Bank Of America
Overview
Senior PKI Engineer to design, implement, and operate eterprise-grade Public Key Infrastructure (PKI) services with a strong focus on Microsoft Active Directory Certificate Services (AD CS) and Active Directory (AD) integration. Handson implementation and integration knowledge of certificate lifecycle management, CA hierarchy governance, enrollment automation, HSM-backed key protection, CA backup restore, migration and integration with platforms such as Windows Server, Linux, network/security devices, cloud providers, MDM/EPP, and zero-trust tooling. Subject matter expert for cryptographic standards, certificate-based authentication, and PKI security controls across the organization.
Key Responsibilities
Architecture \& Design
Design and maintain enterprise PKI architectures (Root CA, Policy CA, Issuing CA) with offline/air?gapped roots, secure key ceremonies, key usage, and issuance workflows and robust CRL/OCSP distribution.
Integrate PKI with Active Directory (incl. AD forests/domains, AD CS, AIA/CDP locations, GPOs), and Azure AD/Entra ID where applicable (e.g., certificate-based auth).
Engineer solutions for mutual TLS, 802\.1X (wired/wireless/VPN), device identity, code signing, S/MIME, BitLocker, and disk/volume encryption certs.
Key sizes, algorithms (RSA, ECC and PQC) encryption and hashing.
Implement HSM-backed key storage for CAs and code signing; lead key ceremonies, disaster recovery designs.
Operations \& Automation
Own certificate lifecycle management (issuance, renewal, revocation) including automation via Intune, GPO/Autoenrollment, SCEP/NDES, ACME, or MDM connectors.
Manage CRL/OCSP publication, monitoring, and availability, design highly available, geo-distributed revocation endpoints.
Implement scripting/automation (PowerShell, APIs) for bulk issuance, inventory, renewal, and drift detection. Enabling separation of duties for secure operation of PKI infrastructure
CA backup, restore renewal and migration strategy
Security \& Compliance
Apply strong key management practices (FIPS 140-2/140-3), certificate assurance levels, and secure CA hardening baselines.
Regularly perform PKI risk assessments, access reviews, and control testing (e.g., template permissions, EKU misuse, issuance constraints).
Lead root cause analysis and incident response for certificate/PKI-related outages or security events.
Maintain alignment with NIST, CAB Forum, Microsoft Security Baselines, and internal compliance frameworks (e.g., SOX, PCI, HIPAA, ISO 27001) as applicable.
Minimum Qualifications
8\+ years in Security Engineering/Identity Infrastructure, including 5\+ years hands-on with Microsoft AD CS and enterprise Active Directory with managing CA infra
Proven experience designing, deploying, and operating multi-tier Microsoft PKI (offline root, issuing CAs) in large/complex environments.
Deep knowledge of X.509, CRL/OCSP, EKU/KU, SANs, key algorithms and sizes (RSA/ECC), hashing (SHA-2), and certificate validation paths.
Strong PowerShell and Windows Server administration; GPOs, autoenrollment, templates, AIA/CDP configuration.
Experience with 802\.1X/EAP-TLS, TLS/mTLS, VPN auth, and device/user certificate issuance at scale.
HSM experience (e.g., nCipher/Entrust/Thales) for CA key management.
Looking for more opportunities?
Browse thousands of graduate jobs and entry-level positions.