"Alerted.org

Job Description

BAE Systems, Inc. is seeking a **Senior PKI / Certificate Management Engineer** to join our Identity Services organization, supporting the Directory Services, Certificate Management, and Privileged Access Management (DCP) team. This strategic role focuses on defining and implementing enterprise-wide standards and best practices for PKI enterprise while collaborating across various departments and IT functions.

As a PKI Engineer, you will be responsible for the governance, engineering, and maintenance of our PKI environment. You ll lead initiatives around identity modernization, enforce security and compliance standards, and work closely with stakeholders to implement access controls and authentication mechanisms. This is a high-impact, cross-functional role for someone with deep technical expertise and strong communication skills.

The ideal candidate has deep hands-on experience with Microsoft PKI, strong Active Directory fundamentals, and a background in automating certificate lifecycle management in highly regulated environments.

Required Education, Experience, & Skills

Responsibilities Include:

+ Design, implement, and support **Active Directory Certificate Services (ADCS)** , including root and issuing Certificate Authorities (CAs)

+ Manage and maintain **PKI infrastructure** , including:

+ Certificate Authorities (CAs)

+ Online Responders (OCSP)

+ CRL distribution points

+ Support **external/public certificates** (e.g., Sectigo, DigiCert, GoDaddy)

+ Administer and integrate **Hardware Security Modules (HSMs)** for private key protection

+ Ensure cryptographic standards and key management practices align with compliance requirements

+ Leverage strong **Active Directory** expertise to support PKI operations:

+ Certificate templates

+ Group Policy

+ Auto-enrollment

+ Service accounts and permissions

+ Troubleshoot complex identity and authentication issues related to certificates and smart cards

+ Administer and enhance **Venafi Trust Protection Platform / CyberArk Certificate Manager**

+ Support certificate discovery, policy enforcement, and automation

+ Integrate certificate management platforms with enterprise tooling

+ Support **smart card infrastructure** and credential issuance

+ Administer **Intercede MyID** Credential Management System (CMS)

+ Participate in incident response, root cause analysis, and continuous improvement efforts

+ Ensure PKI operations align with **CMMC, NIST (800-53, 800-171), and other regulatory frameworks**

+ Support audits and compliance reviews related to cryptographic services

Required Experience:

+ 5 years of hands-on experience supporting **Microsoft ADCS / PKI**

+ Strong **Active Directory** administration experience (GPOs, permissions, service accounts)

+ Experience managing **OCSP responders and CRLs**

+ Hands-on experience with **Hardware Security Modules (HSMs)**

+ Experience with **certificate lifecycle management**

+ Strong written and verbal communication skills; capable of working with cross-functional teams.

Required Education:

Bachelor's degree in CS, IT or an Engineering discipline

Preferred Education, Experience, & Skills

Preferred Experience:

+ PowerShell scripting experience for automation and operational efficiency

+ Experience with implementing monitoring, alerting, and reporting using **Splunk**

+ Visio experience for architecture and process documentation

+ Experience operating in **regulated or compliance-driven environments**

+ Experience with **Venafi Trust Protection Platform / CyberArk Certificate Manager**

+ Experience with **Intercede MyID** or other smart card CMS platforms

+ External/public certificate management (Sectigo, DigiCert, GoDaddy)

+ GoDaddy domain registration and DNS fundamentals

+ Experience using **ServiceNow** for incident/change/request workflows

+ Familiarity with **CMMC, NIST, or similar compliance frameworks**

+ Experience supporting **Windows Hello for Business, smart card logon, or certificate-based authentication**

+ Experience with Azure Key Vault

+ Experience modernizing or automating legacy PKI environments

+ Proficiency in utilizing tools such as Certutil and/or OpenSSL to create, analyze, and manage digital certificates, Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) responses, including configuration and management of distribution points.

+ Interfacing with internally hosted Certificate Authorities and upgrading and deploying PKI to all environments

+ CompTIA Security or CISSP

Preferred Education:

Master's degree in CS, IT or an Engineering discipline

Pay Information

Full-Time Salary Range: $115779 - $196825

Please note: This range is based on our market pay structures. However, individual salaries are determined by a variety of factors including, but not limited to: business considerations, local market conditions, and internal equity, as well as candidate qualifications, such as skills, education, and experience.

Employee Benefits: At BAE Systems, we support our employees in all aspects of their life, including their health and financial well-being. Regular employees scheduled to work 20 hours per week are offered: health, dental, and vision insurance; health savings accounts; a 401(k) savings plan; disability coverage; and life and accident insurance. We also have an employee assistance program, a legal plan, and other perks including discounts on things like home, auto, and pet insurance. Our leave programs include paid time off, paid holidays, as well as other types of leave, including paid parental, military, bereavement, and any applicable federal and state sick leave. Employees may participate in the company recognition program to receive monetary or non-monetary recognition awards. Other incentives may be available based on position level and/or job specifics.

Senior PKI / Certificate Management Engineer [REMOTE]

119506BR

EEO Career Site Equal Opportunity Employer. Minorities . females . veterans . individuals with disabilities . sexual orientation . gender identity . gender expression