Senior PKI engineer

CVS Health•Work At Home-Texas, TX

1d•$92,700 - $185,400

About The Position

We’re building a world of health around every individual — shaping a more connected, convenient and compassionate health experience. At CVS Health®, you’ll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger – helping to simplify health care one person, one family and one community at a time. Position Summary As a PKI Engineer on the CVS Health PKI Engineering team, you will design, build, and operate the certificate lifecycle management infrastructure that secures one of the largest healthcare enterprises in the United States. You will work across two business units (CVS and Aetna), managing a combined estate of large certificates spanning internal, retail, and partner-facing applications.

Requirements

5+ years of hands-on PKI/CLM engineering experience in an enterprise environment (10,000+ certificates under management).
Deep working knowledge of X.509 certificate standards, CA hierarchies (root, intermediate, issuing), and certificate chain validation.
Production experience with at least one enterprise CLM platform: Venafi TPP, AppViewX, Keyfactor, or CyberArk (formerly Venafi).
Strong scripting/automation skills in PowerShell and/or Python, including REST API integration with CLM and CA platforms.
Hands-on experience with certificate provisioning to load balancers (F5 BIG-IP), CDNs (Akamai), web servers (IIS, Apache/Nginx), and cloud platforms (AWS ACM, Azure Key Vault).
Solid understanding of TLS/SSL protocols, cipher suites, key exchange mechanisms, and certificate revocation (CRL/OCSP).
Familiarity with ServiceNow, Jira, or equivalent ITSM/project tracking tools in a regulated enterprise environment.

Nice To Haves

Experience with DigiCert ONE, DigiCert CertCentral, or equivalent public CA management platforms.
Familiarity with Microsoft Active Directory Certificate Services (ADCS/MSCA) and Group Policy-based auto-enrollment.
Exposure to post-quantum cryptography standards (ML-KEM, ML-DSA) and crypto-agility planning.
Experience operating in dual-domain or multi-business-unit enterprise environments with segmented policy and access controls.
CISSP or vendor-specific PKI certifications (e.g., Venafi Certified Professional).
Experience with healthcare or financial services compliance frameworks (HIPAA, PCI-DSS, SOX).
Familiarity with F5, HashiCorp Vault, Akeyless, or similar secrets management platforms for certificate and key storage.

Responsibilities

Engineer and maintain PowerShell and Python automation for certificate lifecycle operations: issuance, renewal, retirement, and reporting.
Own and enhance the daily PKI operational reporting for certificate health monitoring across the enterprise.
Automate certificate automation and governance workflows, including bulk operations across Venafi TPP REST APIs.
Drive private chain adoption across application teams, targeting full migration off public CA chains for internal workloads.
Manage Digicert Certificate authority and Digicert one Certificate lifecycle management.
Execute the Legacy MSCA shutdown plan.
Track and remediate certificates tied to the Legacy CA expiration (Feb 2027 hard deadline).
Maintain Zero Trust alignment across all PKI services: mTLS enforcement, workload identity, client authentication policies.
Support HIPAA, PCI-DSS, and SOX audit readiness through certificate inventory governance, expiration tracking, and compliance reporting.
Contribute to PQC readiness planning: crypto-agility assessments, hybrid certificate testing, and algorithm migration roadmaps.
Collaborate with network, application, and cloud teams to resolve certificate-related incidents and architecture reviews.