Senior PKI Secrets Manager / Vault Engineer (m/w/d) HSM / Hadware security Modul - Remote & Berlin/Frankfurt

Für unseren Kunden in Berlin suchen wir im Rahmen eines langfristigen Greenfield Projektes erfahrene Unterstützung als Senior PKI Secrets Manager / Vault Engineer (m/w/d) HSM / Hadware security Modul. Die Tätigkeit erfolgt Remote und in der Regel eine Woche für 3-4 Tage pro Monat vor Ort in Berlin oder Frankfurt . Je nach Projektphase wird eine Bereitschaft vor Ort von bis zu 50% vorausgesetzt. Hintergrund ist ein großes Plattformprojekt im Energiesektor.

Project:
The team is building an internal platform for software product developers to accelerate the development and delivery of software products to tackle the massive challenges facing the energy sector. The Platform is a service oriented, cloud-native platform that is being built to provide application teams with self-service capabilities to develop, run and operate their software products. Platform provides services for application infrastructure, data, service lifecycle management, application build and delivery as well as services to operate their software products. The Platform is deployed as a hybrid cloud, encompassing both private cloud and select public clouds.

Scope of Work
• The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform.
• The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment.

• Objective 1: PKI Design and Architecture evaluation
◦ Consulting with architecture on enterprise-grade PKI solutions (root CA, subordinate CAs, OCSP responders, CRLs, HSM integration).
◦ Conceptualization of design and providing ownership of PKI hierarchy (offline root, intermediates, issuing CAs).
◦ Coordination and management of key ceremonies and CP/CPS governance.
◦ Give recommendations on appropriate cryptographic algorithms, key lengths, and lifecycles (RSA, ECC, SHA-2/SHA-3).
◦ Providing of design certificate hierarchies and trust models (internal, external, cross-certification, bridge CAs).
◦ Design with guidance from Senior Architect, high availability and disaster recovery for PKI components.

• Objective 2: Deployment & Configuration
◦ Installation and configuration of Certificate Authorities (Microsoft AD CS, EJBCA, Entrust, DigiCert, etc.).
◦ Implementation Hardware Security Modules (HSMs) for key protection.
◦ Implementation of ACME v2 automation, EST for devices, revocation (OCSP/CRL/stapling).
◦ Setting up of enrollment services, auto-enrollment (e.g., Windows GPO, SCEP, EST).
◦ Configuration of certificate templates and enrollment workflows.
◦ Integration PKI with Active Directory and enterprise IT systems.
◦ Operation of Thales Luna HSMs (FIPS 140-3, partitions, quorum, HA/DR).

• Objective 3: Integration & Support
◦ Configuration of TLS/SSL for web servers, load balancers, APIs, and cloud services.
◦ Integration of PKI with endpoints, VPNs, Wi-Fi, and mobile devices.
◦ Providing definitions for RA model and Keycloak OIDC integration.
◦ Configuration of authentication systems (smart cards, Windows logon, S/MIME, code signing).
◦ Consulting of DevOps for certificate automation (HashiCorp Vault, Venafi, Certbot, ACME).
◦ Give recommendations and provide integration of PKI with cloud providers (Google Cloud KMS) and On Prem components.

• Objective 4: Operations, Monitoring & Lifecycle Management
◦ Management of certificate issuance, renewal, suspension, and revocation.
◦ Providing definitions and concepts to drive post-quantum roadmap.
◦ Monitoring of certificate expiry and automating renewals.
◦ Management of CRLs and OCSP responders for revocation checking.
◦ Execution of on-premise-first design with 2-DC HA/DR.
◦ Working on key archival, recovery, and destruction policies.

• Objective 5: Security & Compliance
◦ Performing of strong key management practices namely FIPS 140-2/3, NIST, PCI-DSS compliance.
◦ Performing of audits of PKI operations and certificate usage.
◦ Implementation of a role-based access controls (RBAC) for PKI administrators.
◦ Management of compliance with corporate security policies and industry standards (eIDAS, WebTrust, CAB Forum Baseline Requirements).
◦ Management of Certificate Policy (CP) and Certificate Practice Statement (CPS) documents.

• Objective 6: Automation & Modernization
◦ Execution of certificate lifecycle automation tools (Venafi, AppViewX, Sectigo CLM).
◦ Execution and run DevSecOps practices (certs in CI/CD pipelines, containerized workloads).
◦ Validation and management of post-quantum cryptography readiness.
◦ Migration of legacy PKI to modern architectures (cloud-native PKI, Zero Trust identity models).

Must-have experience
• Cryptography Fundamentals – Experienced at managing Public/private key concepts, symmetric vs. asymmetric crypto, digital signatures, hashing (SHA-2, SHA-3), ECC vs. RSA, key lifecycles.
• PKI Architecture – Experience at handling Root vs. Subordinate CA hierarchy, trust chains, cross-certification, bridge CA, offline vs. online CA; Vault PKI engine (enterprise-level).
• Experience with Hardware Security Modules (HSMs) for key protection, CRL/OCSP configuration, and integration of certificates with common enterprise services (TLS for web servers, VPNs, Wi-Fi, S/MIME, and code signing).
• Standards & Protocols – Experience with X.509, PKCS standards (PKCS#7, #10, #11, #12), TLS/SSL, S/MIME, Kerberos, OCSP, ACME, EST, SCEP, certificate lifecycle, revocation methods.
• Key Management – Experience with Key generation, protection (HSM), backup/recovery, rotation, FIPS 140-2/3 requirements, NIST, ETSI, ISO standards; strong HSM expertise (Thales Luna preferred).
• Compliance & Governance – Well versed with Certificate Policy (CP), Certificate Practice Statement (CPS), CAB Forum BRs, WebTrust, eIDAS, GDPR implications.
• Experience in designing and operating subordinate CA infrastructures under a root CA.
• Must be skilled in scripting (typically PowerShell or Python) to automate routine PKI tasks, monitor certificate expiry, and streamline renewals.
• Experience in deploying and managing enterprise CAs (such as Microsoft AD CS, EJBCA, or Entrust), configuring certificate templates along with enabling auto-enrollment through Active Directory.
• Language: Fluent English – C1.

Preferred experience
• Experience with cloud services and their configuration.
• Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends.
• Fluent in German.
• Working with Scrum and general experience in agile frameworks.