Summary:
ZTI Solutions is seeking a Senior Public Key Infrastructure (PKI) Engineer to architect, automate, and modernize enterprise PKI supporting Department of Defense and Federal customers.
This position focuses on enterprise server PKI, certificate lifecycle automation, and infrastructure trust services, not end-user certificate administration. You will modernize CA infrastructure, automate certificate management at scale, support post-quantum cryptography transition planning, and help shape Zero Trust initiatives in mission-critical DoD environments.
ZTI will sponsor Top Secret clearance processing. Benefits include 100% company-paid medical, dental, and vision for you and your family, 4 weeks PTO, and certification reimbursement.
Key Responsibilities:
- Architect, deploy, administer, and maintain enterprise PKI environments and Certificate Authority (CA) infrastructure, including Microsoft Active Directory Certificate Services (AD CS).
- Design and manage enterprise server certificate strategies across Windows, Linux, virtualization, cloud, web services, APIs, and load balancers.
- Automate certificate lifecycle management (issuance, renewal, revocation, expiration monitoring, key rotation, reporting) using ACME, SCEP/EST, REST APIs, PowerShell, Python, Bash, Ansible, or Terraform.
- Deploy, manage, and troubleshoot TLS/SSL certificates, trust chains, and certificate validation across the enterprise.
- Integrate PKI services with Active Directory, Azure, AWS, virtualization platforms, and DevSecOps pipelines.
- Support Zero Trust initiatives through machine identity and certificate-based trust.
- Support planning for post-quantum cryptography and CNSA 2.0 migration.
- Ensure PKI environments comply with NIST, FIPS, DISA STIGs, and RMF requirements.
- Participate in incident response for certificate compromise or trust-related events.
- Maintain technical documentation, architecture diagrams, SOPs, and configuration baselines.
- Provide technical leadership and mentorship to junior engineers.
Requirements:
- U.S. Citizen with an active Secret clearance; eligible for Top Secret (ZTI sponsors processing).
- Hybrid: up to 3 days/week onsite in Fairfax, VA.
- DoD 8140 IAT Level II certification (Security+ CE or higher), or ability to obtain within 90 days.
- 8+ years of systems/security engineering experience with 4+ years focused on enterprise PKI (or 12 years total without a degree).
- Experience administering AD CS or comparable enterprise PKI platforms.
- Experience automating certificate lifecycle management at scale.
- Experience administering Windows Server and/or Linux.
- Strong understanding of X.509, CRL/OCSP, enterprise trust models, cryptographic algorithms, and key management.
- Excellent analytical, problem-solving, and communication skills.
Preferred Qualifications:
- CISSP, Azure Security Engineer Associate, or AWS Certified Security - Specialty.
- Experience with Entrust, DigiCert, EJBCA, Keyfactor, Venafi, or similar platforms.
- Hardware Security Module (HSM) experience.
- Azure Government, AWS GovCloud, or hybrid cloud environments.
- PKI integration with Kubernetes, containers, or service mesh.
- Experience supporting DoD RMF, FedRAMP, or CMMC compliance initiatives.
Benefits:
- 4 weeks PTO plus all federal holidays paid.
- 100% company-paid medical, dental, and vision for employees and their families.
- 4% matching 401(k).
- Professional training and certification reimbursement.
- Flexible hybrid work environment.