75% remote: PKI Engineer (w/m/d) for Cloud Platform

For our client we are looking for a PKI Engineer (w/m/d) for Cloud Platform.Start: 20.10.2025Duration: 3 months, + wish for a long-term prolongationCapacity: 80-100%Location: 75% Remote, 25% Berlin (1 week Berlin / 3 weeks remote in rotation), up to 50% onsite in peak timesLanguage: English is a must, German is a plusBudget: 80,00 EUR netRole:The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment.Objectives & Tasks:- PKI Design and Architecture evaluation- Deployment & Configuration.Tasks:• Installation and configuration pf Certificate Authorities (Microsoft AD CS, EJBCA, Entrust, DigiCert, etc.).• Implementation Hardware Security Modules (HSMs) for key protection.• Implementation of ACME v2 automation, EST for devices, revocation (OCSP/CRL/stapling).• Setting up of enrollment services, auto-enrollment (e.g., Windows GPO, SCEP, EST).• Configuration of certificate templates and enrollment workflows.• Integration PKI with Active Directory and enterprise IT systems.• Operation of Thales Luna HSMs (FIPS 140-3, partitions, quorum, HA/DR).- Integration & Support.- Operations, Monitoring & Lifecycle Management.- Security & Compliance.- Automation & Modernization.Skills (must-have):- Cryptography Fundamentals – Experienced at managing Public/private key concepts, symmetric vs. asymmetric crypto, digital signatures, hashing (SHA-2, SHA-3), ECC vs. RSA, key lifecycles.- PKI Architecture – Experience at handling Root vs. Subordinate CA hierarchy, trust chains, cross-certification, bridge CA, offline vs. online CA; Vault PKI engine (enterprise-level).- Experience with Hardware Security Modules (HSMs) for key protection, CRL/OCSP configuration, and integration of certificates with common enterprise services (TLS for web servers, VPNs, Wi-Fi, S/MIME, and code signing).- Standards & Protocols – Experience with X.509, PKCS standards (PKCS#7, #10, #11, #12), TLS/SSL, S/MIME, Kerberos, OCSP, ACME, EST, SCEP, certificate lifecycle, revocation methods.- Key Management – Experience with Key generation, protection (HSM), backup/recovery, rotation, FIPS 140-2/3 requirements, NIST, ETSI, ISO standards; strong HSM expertise (Thales Luna preferred)- Compliance & Governance – Well versed with Certificate Policy (CP), Certificate Practice Statement (CPS), CAB Forum BRs, WebTrust, eIDAS, GDPR implications.- Experience in designing and operating subordinate CA infrastructures under a root CA.. Must be skilled in scripting (typically PowerShell or Python) to automate routine PKI tasks, monitor certificate expiry, and streamline renewals.- Experience in deploying and managing enterprise CAs (such as Microsoft AD CS, EJBCA, or Entrust), configuring certificate templates along with enabling auto-enrollment through Active Directory.Skills (should-have):- Experience with cloud services and their configuration- Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends- Fluent in German- Working with Scrum and general experience in agile frameworks