GMS - Senior - PKI

Managed Service – IAM MS – PKI (MS PKI & Venafi) Senior

Key Requirements / Responsibilities:

• Design, implement, and manage Microsoft PKI (ADCS) including Root CA, Subordinate CA, and certificate templates.
• Deploy, configure, and maintain the Venafi Trust Protection Platform for automated certificate lifecycle management.
• Establish policies and governance models for certificate issuance, renewal, revocation, and audit logging.
• Lead troubleshooting efforts for certificate-related issues across endpoints, applications, servers, and network devices.
• Integrate PKI solutions with enterprise infrastructure including Azure, load balancers, firewalls, VPNs, and identity providers.
• Support onboarding of critical applications and devices into Venafi workflows for certificate automation.
• Monitor and manage health and availability of PKI infrastructure, including CRLs, OCSP responders, and AIA locations.
• Participate in incident response and risk mitigation involving PKI systems or expired/compromised certificates.
• Support cryptographic lifecycle management by enforcing standards like key length, algorithm selection, and renewal timelines.
• Provide mentoring and technical leadership to junior team members on PKI best practices.
• Assist in the evaluation and implementation of modern certificate technologies, including short-lived certs and post-quantum crypto readiness.
  

Qualifications:

Education:

• Bachelor or college degree in related field or equivalent work experience
  

Work Experience:

• 5-9 Years’ Experience
  

Skills Expertise

• Minimum 5 years of experience designing and managing enterprise-grade PKI systems.
• Expertise in Microsoft ADCS – including Root/Issuing CAs, CRL/AIA configuration, templates, and key archival.
• Strong experience in Venafi Trust Protection Platform – configuration, policy enforcement, and automation.
• Deep understanding of certificate lifecycle management and cryptographic standards (X.509, RSA, ECC).
• Hands-on experience with certificate automation using APIs, PowerShell, or Venafi workflows.
• Familiarity with TLS/SSL protocols, SCEP, EST, and integration with network/security appliances.
• Knowledge of encryption technologies, HSMs, and key management best practices.
• Experience with auditing, compliance, and PKI governance frameworks (CP/CPS).
• Proven ability to troubleshoot certificate authentication issues and root cause certificate failures across platforms.
• Excellent communication and documentation skills to interface with internal stakeholders, vendors, and auditors.
• Experience working in hybrid cloud environments where certificates are used across on-prem and cloud systems.
• Understanding of DevOps integrations for certificate provisioning (e.g., via REST APIs, pipelines).
• Strong attention to detail and the ability to lead high-impact projects independently.
  

Good to have:

• Familiarity with Azure Key Vault, Azure AD Certificate-Based Authentication, and integration with cloud-native workloads.
• Knowledge of Zero Trust architecture and role of digital certificates in endpoint validation.
• Understanding of advanced certificate use cases like client auth, code signing, document signing.
  

Certification:

• Venafi Certified Administrator (Good to have)
• Microsoft Identity and Access Administrator (Sc-300) (Good to have)
  

Work Requirements:

• Willingness to be on call support engineer and work occasional overtime as required
• Willingness to work in 24*7 rotational shifts as required
  

EY | Building a better working world