Senior Specialist Certificate Management Operations

Role & responsibilities

Manage certificate lifecycle operations including issuance, renewal, revocation, and cross-certification within complex CA hierarchies.

• Enforce cryptographic key management policies including key generation, escrow, rotation, and destruction
• Monitor certificate status and proactively address expirations to prevent service disruptions.
• Troubleshoot and resolve certificate-related issues across multiple platforms and applications. Automate certificate management processes using scripting languages and certificate management tools.
• Maintain accurate documentation of certificate inventories, configurations, and operational procedures.
• Ensure compliance with PKI best practices, industry standards, and regulatory requirements.
• Stay current with emerging trends, threats, and technologies in digital certificate management. Support incident response efforts related to certificate compromise or misuse.
• Lead PKI-related operations, mentor junior team members, and facilitate cross-team collaboration with security, DevOps, and infrastructure groups.
• Produce comprehensive documentation and communicate complex technical concepts clearly to diverse stakeholders.

• Should be flexible to provide coverage in US morning hours Should be flexible with shifts and supporting on weekends

Preferred candidate profile

Overall - At least 8+ years of experience in performing Digital Certificate Management Operations including:

1. Core PKI & Security Skills

Advanced understanding of X.509 certificates, CRLs, OCSP, and complex CA hierarchies (root, intermediate, issuing).

Expertise in certificate lifecycle management at scale, cross-certification, and trust model architectures.

Strong cryptographic knowledge including symmetric/asymmetric encryption, digital signatures, and hashing algorithms.

Proven experience with key management policies covering generation, escrow, rotation, and secure destruction.

Demonstrated ability to lead complex PKI operations and guide junior team members.

Excellent collaboration skills working with security, DevOps, infrastructure, and application teams.

Operationalize secure PKI systems integrated with IAM, SSO, MFA, and compliant with standards such as NIST, FIPS 140-2, and ISO 27001.

In-depth knowledge of networking protocols relevant to certificate distribution and validation: SSH, TLS/SSL, HTTPS, S/MIME, IPsec, VPNs, DNS, LDAP, HTTP.

Proven experience leveraging automation for certificate lifecycle management using scripting tools like PowerShell and Python

2. Tools & Technologies:

Hands-on experience with OpenSSL, Keytool, Certutil.

Familiarity with Microsoft AD CS, KeyFactor, Venafi, HashiCorp Vault, and EJBCA.

Experience managing Hardware Security Modules (HSMs) such as Thales and SafeNet.

ACME protocol for automated certificate lifecycle management

3. Monitoring, Logging and Compliance:

Maintain thorough logging and auditing of all certificate operations for security and compliance purposes.

Proven ability to troubleshoot complex certificate-related issues across diverse platforms.

Strong documentation skills to support audit readiness and operational transparency.

4. Automation

Python with libraries like cryptography, pyOpenSSL, requests, subprocess for PKI automation and API integration.

PowerShell for Windows PKI environments (e.g., AD CS).

Bash scripting for Linux-based PKI tools and OpenSSL automation.

Java for working with PKI tools such as EJBCA and integrations like HashiCorp Vault.

Other automation tools: Ansible, Terraform, and CI/CD systems (GitHub Actions, Jenkins).

RESTful API integrations for DigiCert, HashiCorp Vault, and ACME protocol platforms.