PKI Engineer at Distro – São Paulo

PKI JD

Summary:

We are looking for a PKI/CLM Engineer with hands-on experience in ADCS, AWS ACM, and Venafi to design, implement, and manage enterprise PKI and Certificate Lifecycle Management services. The role includes certificate automation, policy enforcement, infrastructure and application integration, and ensuring compliance with security and audit standards. Required skills include CRL and OCSP maintenance, AWS Key Vault, cloud and hybrid environments, and PowerShell scripting for automation.

Roles Responsibilities: -

Manage enterprise PKI infrastructure including Root and Issuing Certificate.

Responsibilities:

· Manage certificate lifecycle activities: issuance, renewal, revocation, rekey, rollover, and retirement.

· Configure and maintain Offline Root CA, Issuing CAs, certificate templates/profiles, and policy constraints.

· Manage CRL/OCSP publishing and ensure high availability.

· Maintain PKI documentation aligned with standards like CP/CPS, operational runbooks, and SOPs.

· Support audits and compliance requirements, including CAB Forum standards.

· Manage and monitor PKI/HSM operations end-to-end, including health checks, backups, configurations, and policies.

· Implement and maintain processes for managing internal and external certificate lifecycles.

· Monitor certificates for expiration, perform timely renewals, and revoke compromised or obsolete certificates.

· Possess strong technical expertise in Microsoft Active Directory Certificate Services (ADCS), including OCSP, CRLs, certificate templates, key archival, and NDES/SCEP.

· Proficient in scripting and automation, especially PowerShell, with the ability to integrate PKI solutions across platforms such as network devices, load balancers, and Windows/Linux environments.

· Have solid understanding of cryptography and encryption standards, including TLS, X.509, RSA/ECC, CSRs, and secure key management with HSMs and TPMs.

· Hands-on experience with cloud-based certificate and key management; strong troubleshooting skills; exposure to AWS ACM/PCA, Venafi tools, and relevant security or PKI certifications is advantageous.

· Assist with enterprise-wide certificate lifecycle tasks, including requests, issuance, renewal, and revocation.

· Maintain and update inventories of machine identities, including certificates, keys, and service credentials.

· Assist in identifying orphaned, expired, or misconfigured machine identities.

· Monitor adherence to governance controls and escalate exceptions or risks.

· Maintain accurate certificate inventory records, including ownership, purpose, and expiration dates.

· Identify and report at-risk certificates, including expired, soon-to-expire, weak cryptography, or unknown owners.

· Assist with certificate issuance requests and validate required information.

· Demonstrate experience managing enterprise-scale PKI environments across on-premises and cloud platforms, including lifecycle management and automation (e.g., Venafi Trust Protection Platform).

· Possess strong technical expertise in Microsoft Active Directory Certificate Services (ADCS), including OCSP, CRLs, certificate templates, key archival, and NDES/SCEP.

· Knowledge of AD, DNS, IAM operations, and CyberArk Privilege Cloud is beneficial.

Required Skills:

· Microsoft ADCS

· SCEP

· AWS PCA

· Venafi

· HSM & Encryption

· PKI & Certificate Management.

· AD (Good to have)

· CyberArk (Good to have)

#Matchpoint

#LI-PROMOTED

#LI-Remote