Systems Administration, Advisor

About The Position

Requirements

• Minimum of 8 years with BS/BA; Minimum of 6 years with MS/MA; Minimum of 3 years with PhD, 12 years with a HS Diploma
• 5–8+ years of experience in enterprise security/identity engineering, with 3+ years directly operating PKI/CA systems.
• Hands-on expertise with Entrust CA platforms (or equivalent enterprise CA, OCSP/CRL, and directory services (AD/LDAP).
• Strong knowledge of X.509, certificate profiles, key algorithms (RSA/ECC), key escrow, key rotation, and cryptographic modules.
• Experience managing SSL/TLS for large environments (web servers, application gateways, load balancers, containers/K8s ingress).
• Operational experience supporting PIV smart cards and YubiKeys in enterprise authentication/MFA scenarios.
• Proficiency in scripting/automation (PowerShell, Python) and working with PKI APIs (ACME/EST/SCEP/REST).
• Familiarity with security frameworks/standards (e.g., FIPS 201, FIPS 140-2/3, NIST SP 800‑53/63, CP/CPS governance).
• Strong troubleshooting skills across Windows/Linux, networking (TLS handshakes, certificate chains, OCSP/CRL reachability), and application integrations.
• Excellent documentation, communication, and stakeholder management capabilities.

Responsibilities

• Operate and maintain enterprise PKI components: root and issuing CAs, Registration Authorities, OCSP responders, CRL distribution points, and associated directory services (e.g., AD/LDAP).
• Perform routine health checks, capacity planning, patching, and disaster recovery testing for PKI infrastructure.
• Monitor certificate lifecycles (issuance, renewal, revocation) and SLAs; resolve certificate-related incidents and service requests.
• Administer and support Entrust PKI platforms (e.g., Security Manager/CA), including policy configuration, profiles, and integration with downstream systems.
• Manage SSL/TLS for internal and external services (web apps, APIs, load balancers, proxies), including naming, SAN management, cipher suite alignment, and automated renewals (e.g., ACME/EST/SCEP).
• Support PIV credential operations (card issuance, certificate personalization, revocation, and validation services) and YubiKey lifecycle tasks (enrollment, attestation, firmware considerations, and policy profiles).
• Enforce PKI policy (CP/CPS), key management procedures, and secure key ceremonies aligned with organizational and regulatory requirements (e.g., FIPS 140-2/3 for HSMs, FIPS 201 for PIV, NIST guidance).
• Maintain comprehensive documentation: system runbooks, SOPs, CP/CPS updates, architectural diagrams, data flows, and audit artifacts.
• Partner with Audit/Compliance to support assessments, evidence collection, control testing, and remediation (e.g., NIST 800-53 control families, certificate governance).
• Implement segmentation and access controls for PKI components; manage privileged access and break‑glass procedures.
• Track and remediate vulnerabilities affecting PKI (CAs, cryptographic libraries, protocol configurations).
• Build and maintain automation for certificate issuance/renewal, inventory, and reporting (e.g., PowerShell, Python, REST APIs, Ansible).
• Integrate PKI with identity platforms and authentication flows (e.g., smart card/PIV login, YubiKey-based MFA, SSO, federation).
• Advise application teams on certificate requirements (key types, key sizes, curves, CSP/KSP settings), mTLS patterns, and mutual trust establishment.
• Lead PKI service improvements: scaling, high availability, telemetry/observability, and performance tuning.
• Evaluate and implement modern cryptographic practices (e.g., SHA-2/3, ECC, post-quantum readiness planning as appropriate).
• Serve as the PKI SME for projects and incident response; provide Tier 3 support and root cause analysis.
• Coordinate with vendors (e.g., Entrust) for platform upgrades, troubleshooting, and feature enablement.
• Train and mentor engineers/administrators on PKI operations, certificate hygiene, and secure usage patterns.