Systems Administration, Advisor

Job Summary

We are seeking a hands-on PKI Engineer to provide daytoday operations, maintenance, and lifecycle management of our enterprise PKI services. This role ensures the integrity, availability, and compliance of cryptographic services that underpin PIV badge issuance and validation, YubiKey authentication, SSL/TLS certificate management, and Entrust Certificate Authority (CA) platforms.

Key Responsibilities

Operations & Maintenance

Operate and maintain enterprise PKI components: root and issuing CAs, Registration Authorities, OCSP responders, CRL distribution points, and associated directory services (e.g., AD/LDAP).
• Perform routine health checks, capacity planning, patching, and disaster recovery testing for PKI infrastructure.
• Monitor certificate lifecycles (issuance, renewal, revocation) and SLAs; resolve certificate-related incidents and service requests.
• Administer and support Entrust PKI platforms (e.g., Security Manager/CA), including policy configuration, profiles, and integration with downstream systems.
• Manage SSL/TLS for internal and external services (web apps, APIs, load balancers, proxies), including naming, SAN management, cipher suite alignment, and automated renewals (e.g., ACME/EST/SCEP).
• Support PIV credential operations (card issuance, certificate personalization, revocation, and validation services) and YubiKey lifecycle tasks (enrollment, attestation, firmware considerations, and policy profiles).

Security, Compliance & Governance

• Enforce PKI policy (CP/CPS), key management procedures, and secure key ceremonies aligned with organizational and regulatory requirements (e.g., FIPS 140-2/3 for HSMs, FIPS 201 for PIV, NIST guidance).
• Maintain comprehensive documentation: system runbooks, SOPs, CP/CPS updates, architectural diagrams, data flows, and audit artifacts.
• Partner with Audit/Compliance to support assessments, evidence collection, control testing, and remediation (e.g., NIST 800-53 control families, certificate governance).
• Implement segmentation and access controls for PKI components; manage privileged access and breakglass procedures.
• Track and remediate vulnerabilities affecting PKI (CAs, cryptographic libraries, protocol configurations).

Engineering & Automation

• Build and maintain automation for certificate issuance/renewal, inventory, and reporting (e.g., PowerShell, Python, REST APIs, Ansible).
• Integrate PKI with identity platforms and authentication flows (e.g., smart card/PIV login, YubiKey-based MFA, SSO, federation).
• Advise application teams on certificate requirements (key types, key sizes, curves, CSP/KSP settings), mTLS patterns, and mutual trust establishment.
• Lead PKI service improvements: scaling, high availability, telemetry/observability, and performance tuning.
• Evaluate and implement modern cryptographic practices (e.g., SHA-2/3, ECC, post-quantum readiness planning as appropriate).

Collaboration & Support

• Serve as the PKI SME for projects and incident response; provide Tier 3 support and root cause analysis.
• Coordinate with vendors (e.g., Entrust) for platform upgrades, troubleshooting, and feature enablement.
• Train and mentor engineers/administrators on PKI operations, certificate hygiene, and secure usage patterns.

• Minimum of 8 years with BS/BA; Minimum of 6 years with MS/MA; Minimum of 3 years with PhD, 12 years with a HS Diploma
• 5-8+ years of experience in enterprise security/identity engineering, with 3+ years directly operating PKI/CA systems.
• Hands-on expertise with Entrust CA platforms (or equivalent enterprise CA, OCSP/CRL, and directory services (AD/LDAP).
• Strong knowledge of X.509, certificate profiles, key algorithms (RSA/ECC), key escrow, key rotation, and cryptographic modules.
• Experience managing SSL/TLS for large environments (web servers, application gateways, load balancers, containers/K8s ingress).
• Operational experience supporting PIV smart cards and YubiKeys in enterprise authentication/MFA scenarios.
• Proficiency in scripting/automation (PowerShell, Python) and working with PKI APIs (ACME/EST/SCEP/REST).
• Familiarity with security frameworks/standards (e.g., FIPS 201, FIPS 140-2/3, NIST SP 80053/63, CP/CPS governance).
• Strong troubleshooting skills across Windows/Linux, networking (TLS handshakes, certificate chains, OCSP/CRL reachability), and application integrations.
• Excellent documentation, communication, and stakeholder management capabilities.

Peraton is a next-generation national security company that drives missions of consequence spanning the globe and extending to the farthest reaches of the galaxy. As the world's leading mission capability integrator and transformative enterprise IT provider, we deliver trusted, highly differentiated solutions and technologies to protect our nation and allies. Peraton operates at the critical nexus between traditional and nontraditional threats across all domains: land, sea, space, air, and cyberspace. The company serves as a valued partner to essential government agencies and supports every branch of the U.S. armed forces. Each day, our employees do the can't be done by solving the most daunting challenges facing our customers. Visit peraton.com to learn how we're keeping people around the world safe and secure.