PKI / Secrets Manager Quality Engineer (m/w/d) - Remote & Berlin/Frankfurt

Für unseren Kunden in Berlin suchen wir im Rahmen eines langfristigen Greenfield Projektes erfahrene Unterstützung als PKI / Secrets Manager QA Engineer (m/w/d). Die Tätigkeit erfolgt Remote und in der Regel eine Woche für 3-4 Tage pro Monat vor Ort in Berlin oder Frankfurt . Je nach Projektphase wird eine Bereitschaft vor Ort von bis zu 50% vorausgesetzt. Hintergrund ist ein großes Plattformprojekt im Energiesektor.

Project:
The team is building an internal platform for software product developers to accelerate the development and delivery of software products to tackle the massive challenges facing the energy sector. The Platform is a service oriented, cloud-native platform that is being built to provide application teams with self-service capabilities to develop, run and operate their software products. Platform provides services for application infrastructure, data, service lifecycle management, application build and delivery as well as services to operate their software products. The Platform is deployed as a hybrid cloud, encompassing both private cloud and select public clouds.

The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment

Objective 1: Core Vault Knowledge:
▪ Validate vault activities namely init/unseal, tokens, leases, policies, secrets engines.
▪ Test Vault fundamentals: init/unseal, tokens, policies, secrets engines.
▪ Validate secrets lifecycle, PKI workflows, RA policies, and revocation.
▪ Automate tests using CLI, REST API, SDKs (Python, Go, Java) in CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI).
▪ Test the certificate issuance, expiry, revocation, and renewal workflows.

Objective 2: Testing & Validation Skills:
▪ Give recommendations and write test cases for: secrets lifecycle (creation, lease renewal, revocation), PKI workflows (CSR submission, certificate issuance, CRL checks, revocation), authentication methods (AppRole, LDAP, Kubernetes, OIDC), and validating access policies (ACLs) — ensuring least privilege is enforced.
▪ Regression testing for Vault upgrades and policy changes.
▪ Fault injection testing: unseal/reseal, token expiration, expired certificates.

Objective 3: Automation & Scripting:
▪ Creation of automated test scripts by using Vault CLI, REST API, and SDKs (Python, Go, or Java).
▪ Integration of Vault test cases into CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins).
▪ Scripting - Python, Bash, PowerShell for automating secrets/PKI validation tests.

Objective 4: PKI-Specific Testing:
▪ Validating of certificate chains, trust anchors, and expiry alerts.
▪ Testing automated certificate issuance and renewal flows (short-lived certs).
▪ Simulation of edge cases: revoked certs, expired intermediates, misconfigured chains.
▪ Use tools like OpenSSL, certutil, or Wireshark to debug TLS/PKI issues.

Objective 5: Integration Testing:
▪ Performing integration testing of Kubernetes sidecars and Vault Agent templates.
▪ Performing integration testing of dynamic DB credentials.
▪ Performing integration testing of TLS cert rotation in load balancers, web servers, and APIs.
▪ Performing integration testing of Keycloak federation (OIDC/SAML) flows.
▪ Conducting browser-based tests using Playwright or Selenium for IAM/SSO validation.

Objective 6: Security & Compliance Validation:
▪ Performing of reviews of hardcoded secrets, audit logging, RBAC/MFA enforcement, FIPS/PCI-DSS alignment.
▪ Verifying of audit logs (Vault audit devices, syslog) capture critical events.
▪ Testing RBAC enforcement and MFA requirements in auth flows.
▪ Performing compliance reviews with standards (FIPS 140-2/3 for crypto, PCI-DSS secret handling requirements).

Objective 7: Monitoring & Troubleshooting:
▪ Validation of deployments are to ensure reliability, security and compliance by covering both functional testing (PKI/Secrets) and integration testing (IAM federation, CI/CD pipelines, HA/DR).
▪ Monitoring Vault telemetry, logs, and SIEM outputs; debug failures across Vault/PKI/Keycloak.
▪ Ensure HA/DR failover testing is automated and repeatable.
▪ Add coverage for multi-tenant and RA delegation scenarios.

Must-have experience:
◦ Experience with testing Vault fundamentals and PKI workflows.
◦ Expertise with test automation frameworks for services, APIs, IAM.
◦ Strong experience with scripting and automation: Python, Go, Bash, PowerShell.
◦ Expertise with PKI/SSL debug tools: OpenSSL, certutil, Wireshark.
◦ Strongly skilled with CI/CD integration: Jenkins, GitHub Actions, GitLab CI.
◦ Experience with Secrets and compliance testing: audit logs, RBAC/MFA, standards validation.
◦ Experienced with browser-based automation: Playwright or Selenium.
◦ Experienced as a quality gate for PKI, Vault, and IAM services.
◦ Good knowledge of how Vault integrates with apps (via API the Vault Agent and sidecar injector).
◦ Language: Fluent English – C1.

• Preferred experience:
◦ Experience with cloud services and their configuration.
◦ Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends and performance testing.
◦ Fluent in German.
◦ Familiarity with HA/DR scenarios in PKI/Secrets/IAM.
◦ Working with Scrum and general experience in agile frameworks.