Sr. PKI Machine Identity Engineer

Brunswick Corporation•Mettawa, IL

7d•Hybrid

About The Position

As part of the talented Brunswick team, you will get to transform Public Key Infrastructure (PKI) into a core identity and trust control plane for the enterprise. The position leads the modernization of PKI to establish strong device trust and machine identity across hybrid environments, spanning on‑premises and cloud platforms. This role owns the PKI platform strategy, tooling, and full lifecycle management, while driving adoption across identity and access management (IAM), endpoint, network, and application teams. It supports a broad set of use cases, including device trust for VPN, Wi‑Fi, and endpoints; workload identity for mTLS and APIs; web and application enablement; and emerging non‑human and AI identities. This is a hands‑on leadership role that combines deep technical execution with cross‑functional delivery to embed identity and trust as foundational enterprise capabilities.

Requirements

Bachelor’s degree in Computer Science, Information Systems, or a related field (or equivalent work experience).
8+ years in PKI, cybersecurity, or identity engineering.
Deep hands-on experience with enterprise PKI (ADCS or equivalent).
Strong understanding of X.509, trust chains, CA hierarchy, and crypto principles.
Experience with lifecycle automation and discovery at scale.
Experience with certificate-based authentication (VPN, EAP‑TLS, device certs, web/app).
Proven cross-functional delivery across IAM, infrastructure, and security.

Nice To Haves

Secure key management experience.
PKI lifecycle platforms (Keyfactor, Venafi).
mTLS, workload identity, or SPIFFE/SPIRE exposure.
Hybrid environments (on‑prem + cloud).
Zero Trust, Conditional Access, and device trust familiarity.
Audit/compliance experience.

Responsibilities

PKI Architecture & Platform Ownership: Design, implement, and operate enterprise PKI (ADCS and hybrid/cloud models). Define CA hierarchy (offline root, issuing CAs), trust models, templates, and issuance policies. Establish key protection strategies including HSM integration and secure key lifecycle. Integrate external certificate providers (e.g., Cloudflare, public CAs) into a unified architecture. Define and enforce enterprise PKI standards.
Certificate Lifecycle & Automation: Implement automated discovery, issuance, renewal, and revocation across infrastructure, endpoints, apps, and web. Address certificate sprawl and shadow PKI with scalable discovery. Build monitoring and controls to eliminate certificate-related outages. Develop API-driven and scripted automation (PowerShell, Python, CI/CD).
Revocation, Resilience & Security: Design and operate CRL/OCSP with high availability and performance. Manage CA lifecycle (rotation, recovery, compromise response). Support audit/compliance (NIST, ISO) and cryptographic standards. Lead threat modeling for PKI risks (key compromise, mis-issuance).
Device Trust & Access Integration: Enable certificate-based authentication for VPN, Wi‑Fi (EAP‑TLS), endpoint/device trust, and web/app access. Integrate PKI signals into IAM decisioning (Conditional Access, identity policies). Drive enterprise-wide adoption of certificate-based controls.
Machine Identity & mTLS: Design and implement mTLS for services, APIs, and internal platforms. Establish identity models for non-human identities (service accounts, APIs, automation). Support cloud-native/workload identity patterns (Kubernetes, service mesh). Build capabilities for AI-driven and autonomous systems.