IT Sys Sec Eng Prin
Description:
Requisition Number
119506BR
BAE Systems, Inc. is seeking a Senior PKI / Certificate Management Engineer to join our Identity Services organization, supporting the Directory Services, Certificate Management, and Privileged Access Management (DCP) team. This strategic role focuses on defining and implementing enterprise-wide standards and best practices for PKI enterprise while collaborating across various departments and IT functions.
As a PKI Engineer, you will be responsible for the governance, engineering, and maintenance of our PKI environment. You’ll lead initiatives around identity modernization, enforce security and compliance standards, and work closely with stakeholders to implement access controls and authentication mechanisms. This is a high-impact, cross-functional role for someone with deep technical expertise and strong communication skills.
The ideal candidate has deep hands-on experience with Microsoft PKI, strong Active Directory fundamentals, and a background in automating certificate lifecycle management in highly regulated environments.
Responsibilities Include:
Design, implement, and support Active Directory Certificate Services (ADCS), including root and issuing Certificate Authorities (CAs)
Manage and maintain PKI infrastructure, including:
Certificate Authorities (CAs)
Online Responders (OCSP)
CRL distribution points
Support external/public certificates (e.g., Sectigo, DigiCert, GoDaddy)
Administer and integrate Hardware Security Modules (HSMs) for private key protection
Ensure cryptographic standards and key management practices align with compliance requirements
Leverage strong Active Directory expertise to support PKI operations:
Certificate templates
Group Policy
Auto-enrollment
Service accounts and permissions
Troubleshoot complex identity and authentication issues related to certificates and smart cards
Administer and enhance Venafi Trust Protection Platform / CyberArk Certificate Manager
Support certificate discovery, policy enforcement, and automation
Integrate certificate management platforms with enterprise tooling
Support smart card infrastructure and credential issuance
Administer Intercede MyID Credential Management System (CMS)
Participate in incident response, root cause analysis, and continuous improvement efforts
Ensure PKI operations align with CMMC, NIST (800-53, 800-171), and other regulatory frameworks
Support audits and compliance reviews related to cryptographic services
Job Posting Title
Senior PKI / Certificate Management Engineer [REMOTE]
Job Family
IT Systems Security
Travel Percentage
<10%
Clearance Level – Must be able to obtain for position
None
Shift
1st Shift
Regular or Temporary
Regular
Typical Education and Experience
Typically a Bachelor's Degree and 6 years work experience or equivalent experience
Required Skills and Education
5+ years of hands-on experience supporting Microsoft ADCS / PKI
Strong Active Directory administration experience (GPOs, permissions, service accounts)
Experience managing OCSP responders and CRLs
Hands-on experience with Hardware Security Modules (HSMs)
Experience with certificate lifecycle management
Strong written and verbal communication skills; capable of working with cross-functional teams.
Bachelor's degree in CS, IT or an Engineering discipline
Preferred Skills and Education
PowerShell scripting experience for automation and operational efficiency
Experience with implementing monitoring, alerting, and reporting using Splunk
Visio experience for architecture and process documentation
Experience operating in regulated or compliance-driven environments
Experience with Venafi Trust Protection Platform / CyberArk Certificate Manager
Experience with Intercede MyID or other smart card CMS platforms
External/public certificate management (Sectigo, DigiCert, GoDaddy)
GoDaddy domain registration and DNS fundamentals
Experience using ServiceNow for incident/change/request workflows
Familiarity with CMMC, NIST, or similar compliance frameworks
Experience supporting Windows Hello for Business, smart card logon, or certificate-based authentication
Experience with Azure Key Vault
Experience modernizing or automating legacy PKI environments
Proficiency in utilizing tools such as Certutil and/or OpenSSL to create, analyze, and manage digital certificates, Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) responses, including configuration and management of distribution points.
Interfacing with internally hosted Certificate Authorities and upgrading and deploying PKI to all environments
CompTIA Security+ or CISSP
Master's degree in CS, IT or an Engineering discipline
About BAE Systems, Inc.
BAE Systems, Inc. is the U.S. subsidiary of BAE Systems plc, an international defense, aerospace and security company which delivers a full range of products and services for air, land and naval forces, as well as advanced electronics, security, information technology solutions and customer support services. Improving the future and protecting lives is an ambitious mission, but it’s what we do at BAE Systems. Working here means using your passion and ingenuity where it counts – defending national security with breakthrough technology, superior products, and intelligence solutions. As you develop the latest technology and defend national security, you will continually hone your skills on a team—making a big impact on a global scale. At BAE Systems, you’ll find a rewarding career that truly makes a difference.
This position will be posted for at least 5 calendar days. The posting will remain active until the position is filled, or a qualified pool of candidates is identified.
Department
IT_CYBIAM_Cyber IAM
Company
123_BAE Systems Shared Svcs Inc
Posting Requirements
Internal/External
Job Category
Engineering & Technology
U.S. Person Required
Yes
Business Area
ESS IT
Salary Max Point
196825
Salary Min Point
115779
Union Job
None
Recruiter
Kathleen Kirwin
U.S. Citizenship Required
No