PKI Secrets Manager / Vault Engineer (m/w/d) - Remote & Berlin/Frankfurt

Für unseren Kunden in Berlin suchen wir im Rahmen eines langfristigen Greenfield Projektes erfahrene Unterstützung als PKI Secrets Manager / Vault Engineer (m/w/d). Die Tätigkeit erfolgt Remote und in der Regel eine Woche für 3-4 Tage pro Monat vor Ort in Berlin oder Frankfurt . Je nach Projektphase wird eine Bereitschaft vor Ort von bis zu 50% vorausgesetzt. Hintergrund ist ein großes Plattformprojekt im Energiesektor.

The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment

Objective 1: Vault Core & Infrastructure Tasks:
- Deploying and operating of Vault in production on Linux-based systems.
- Working on storage backends (Integrated Storage, Consul) and seal mechanisms (Shamir’s Secret Sharing, HSM autounseal,
cloud KMS integration).
- Give recommendations on performance tuning, scaling clusters, and handling HA failover.
- Management of Vault PKI operations: intermediates, issuing CAs, automation.

Objective 2: Authentication & Authorization Tasks:

- Proficient with common auth methods: AppRole, Kubernetes, LDAP/AD, OIDC/JWT.
- Consulting on design policies with Vault’s ACL system (HCL/JSON) and enforcing least privilege.
- Providing implementation of multi-tenant models in Vault (namespaces, identity groups).

Objective 3: Secrets Engines Tasks:
- Hands-on capability with key engines:
KV (Key-Value) for generic secrets.
PKI engine for issuing, revoking, and rotating certificates (short-lived certs, role-based issuance, CRLs).
Database secrets engine for dynamic DB credentials.
Cloud secrets engines (AWS, Azure, GCP) for temporary access keys.
- Configuration of TTL/leases, rotation, and secret renewal workflows.
- Integration of Vault with HSM partitions.

Objective 4: PKI-Specific Expertise. Tasks:
- Setting up PKI secrets engine for internal CAs, intermediates, and role definitions.
- Providing of automation certificate issuance (dynamic short-lived certs) and revocation.
- Integration of Vault PKI with enterprise services (web servers, ingress controllers, load balancers, VPNs).
- Management of certificate chaining, trust anchors, CRL/OCSP integration, and troubleshooting validation errors.
- Give recommendations on working with PKCS standards and TLS/SSL protocol basics.
- Consulting on the implementation of ACME v2 (DNS-01 + EAB), EST for devices
- Configure AIA/CRL/OCSP publishing and stapling.
- Applying RFC 5280 profiles, SAN encoding, RA delegation.
- Run DR/HA, Raft storage, backup/restore drills.

Objective 5: Operations, Monitoring & Troubleshooting.

- Use Vault CLI and API for day-to-day ops and debugging.
- Monitor Vault health via telemetry/metrics (Prometheus, Grafana).
- Troubleshoot and unseal issues, auth failures, token problems, or certificate validation errors.
- Handle backup, restore, and disaster recovery scenarios.

Objective 6: Automation & DevOps Integration.

- Write automation scripts with Terraform, Ansible, or Helm to deploy/manage Vault.
- Use Vault Agent or Envconsul for automatic secret injection into applications.
- Work on CI/CD integration (Jenkins, GitHub Actions, GitLab CI) for certificate and secret distribution.
- Work secret rotation automation for databases, PKI, and cloud credentials.
- Perform PQC pilots in non-prod.
- Build and operate using Infrastructure-as-Code and GitOps tooling.

Must-have experience (Über Projekterfahrung nachzuweisen)
-Vault Fundamentals – Experience with deploying & managing vault clusters in production (HA, Raft storage), configures seal/unseal (KMS/HSM). Vault PKI secrets engine operations and HSM integration experience.
- Experienced at understanding Vault architecture (storage backend, seal/unseal, Raft vs. integrated storage, clustering, HA setups).
- PKI Secrets Engine – Experience with managing intermediates, role definitions, short-lived cert issuance, CRLs, and automated revocation and ability to integrate PKI with apps/services.
Certificate Lifecycle Management – Experience with automating issuance/renewal via Vault Agent, API, or CI/CD pipelines. Should also be able to handle rotation policies and revocation, certificate policy and operational SLOs.
- Security & Compliance – Experience with implementing RBAC, audit devices, HSM/KMS for key protection, and enforces rotation policies.
- Integration – Experience with integrating PKI with enterprise systems (K8s ingress, load balancers, VPN, S/MIME, DBs). ACME, EST, revocation protocols, Terraform, OpenTofu, ArgoCD, Flux.
- Monitoring and Troubleshooting– good experience with managing metrics (Prometheus, Grafana), troubleshooting unseal/auth/CRL issues, performing backup & restore.

Must-have language skills
Fluent English – C1.

Preferred experience
• Experience with cloud services and their configuration
• Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends
• Fluent in German