PKI Senior Security Engineer

Cigna Healthcare•Bloomfield, CT

About The Position

Bring your expertise in Public Key Infrastructure (PKI) to help secure and enable enterprise-scale platforms. In this role, you will design, operate, and continuously improve certificate and key management services that protect critical systems and applications. You will partner closely with cybersecurity, infrastructure, and application teams to deliver resilient, compliant, and automated certificate solutions while providing hands-on production support in a dynamic, high-availability environment. Responsibilities Architect, deploy, and operate enterprise PKI solutions, with a primary focus on Microsoft Active Directory Certificate Services (ADCS), ensuring secure identity, encryption, and trust services across the organization. Manage certificate lifecycle automation and policy enforcement using Venafi, improving reliability, visibility, and compliance across platforms. Administer and support Hardware Security Modules (HSMs), including Luna and nCipher, to protect cryptographic keys and sensitive operations. Develop, maintain, and enforce certificate standards, policies, and governance frameworks aligned to organizational and regulatory requirements. Provide deep technical leadership during certificate-related incidents, serving as an escalation point to troubleshoot and restore production services within established service level agreements. Partner with application owners, UNIX and Windows administrators, network teams, and external Certificate Authorities to design and implement secure certificate solutions. Govern external Certificate Authorities such as DigiCert and Sectigo, ensuring proper usage, lifecycle management, and compliance. Execute and support critical PKI operational activities, including scheduled change windows, annual CRL publishing, and root key ceremonies. Ensure PKI services meet regulatory and security standards, including FIPS and NIST guidance. Contribute to PKI and certificate management product roadmaps, identifying opportunities for automation, modernization, and risk reduction. Track and report operational health and progress using clear, data-driven metrics. Participate in an on-call rotation, including after-hours change implementation, to support 24x7 enterprise environments. Qualified applicants will be considered without regard to race, color, age, disability, sex, childbirth (including pregnancy) or related medical conditions including but not limited to lactation, sexual orientation, gender identity or expression, veteran or military status, religion, national origin, ancestry, marital or familial status, genetic information, status with regard to public assistance, citizenship status or any other characteristic protected by applicable equal employment opportunity laws. If you require reasonable accommodation in completing the online application process, please email: [email protected] for support. Do not email [email protected] for an update on your application or to provide your resume as you will not receive a response. The Cigna Group has a tobacco-free policy and reserves the right not to hire tobacco/nicotine users in states where that is legally permissible. Candidates in such states who use tobacco/nicotine will not be considered for employment unless they enter a qualifying smoking cessation program prior to the start of their employment. These states include: Alabama, Alaska, Arizona, Arkansas, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Maryland, Massachusetts, Michigan, Nebraska, Ohio, Pennsylvania, Texas, Utah, Vermont, and Washington State. Qualified applicants with criminal histories will be considered for employment in a manner consistent with all federal, state and local ordinances. Doing something meaningful starts with a simple decision, a commitment to changing lives. At The Cigna Group, we’re dedicated to improving the health and vitality of those we serve. Through our divisions Cigna Healthcare and Evernorth Health Services, we are committed to enhancing the lives of our clients, customers and patients. Join us in driving growth and improving lives.

Requirements

Minimum of 2 years of hands-on experience supporting PKI technologies, including certificate lifecycle management and reporting.
Minimum of 4 years of Linux/UNIX systems administration experience, including package management and command-line troubleshooting.
Minimum of 4 years of scripting or automation experience using tools such as Ansible, Bash, PowerShell, or Python.
Strong working knowledge of PKI concepts, including SSL/TLS, certificate authorities, public/private key cryptography, CRLs, and trust stores.
Experience supporting Microsoft ADCS components such as CEP/CES and NDES.
Proficiency administering certificates across both UNIX/Linux and Windows environments.
Working knowledge of TCP/IP networking concepts and common infrastructure components, including DNS, firewalls, load balancers (such as F5), and routing.
Hands-on experience using certificate and cryptographic tools such as OpenSSL, Java Keytool, Keystore Explorer, and PuTTY.
Strong organizational and prioritization skills, with the ability to manage multiple certificates and initiatives simultaneously.
Demonstrated ability to work independently in complex, large-scale, multi-platform environments while collaborating effectively across teams.
Proven problem-solving skills with strong attention to detail and a customer-focused mindset.
Excellent verbal and written communication skills, with the ability to explain technical concepts to diverse audiences.

Nice To Haves

Bachelor’s degree in Information Systems, Computer Science, or a related field.
Experience with Venafi, DigiCert, Sectigo or similar certificate management and CA platforms.
Security-related industry certification.
Experience configuring and troubleshooting web, application, and middleware technologies.
Familiarity with healthcare or PBM industry environments.
If you will be working at home occasionally or permanently, the internet connection must be obtained through a cable broadband or fiber optic internet service provider with speeds of at least 10Mbps download/5Mbps upload.

Responsibilities

Architect, deploy, and operate enterprise PKI solutions, with a primary focus on Microsoft Active Directory Certificate Services (ADCS), ensuring secure identity, encryption, and trust services across the organization.
Manage certificate lifecycle automation and policy enforcement using Venafi, improving reliability, visibility, and compliance across platforms.
Administer and support Hardware Security Modules (HSMs), including Luna and nCipher, to protect cryptographic keys and sensitive operations.
Develop, maintain, and enforce certificate standards, policies, and governance frameworks aligned to organizational and regulatory requirements.
Provide deep technical leadership during certificate-related incidents, serving as an escalation point to troubleshoot and restore production services within established service level agreements.
Partner with application owners, UNIX and Windows administrators, network teams, and external Certificate Authorities to design and implement secure certificate solutions.
Govern external Certificate Authorities such as DigiCert and Sectigo, ensuring proper usage, lifecycle management, and compliance.
Execute and support critical PKI operational activities, including scheduled change windows, annual CRL publishing, and root key ceremonies.
Ensure PKI services meet regulatory and security standards, including FIPS and NIST guidance.
Contribute to PKI and certificate management product roadmaps, identifying opportunities for automation, modernization, and risk reduction.
Track and report operational health and progress using clear, data-driven metrics.
Participate in an on-call rotation, including after-hours change implementation, to support 24x7 enterprise environments.