About the role

PKI Engineer managing internal and external certificate authorities for U.S. Bank. Focusing on certificate management and security best practices across various platforms.

Responsibilities

Manage internal Certificate Authority (Active Directory Certificate Services) including, but not limited to, certificate templates, issuing and revocation of internal certificates, PKI administration, automated certificate issuance for server certificates, client certificates, SMIME certificates, and Code Signing certificates.
Maintain Certificate Revocation List (CRL) distribution servers critical to the entire enterprise environment.
Maintain NDES/SCEP protocol servers critical to certificate distribution for corporate Apple/Mac workstations.
Manage external Certificate Authority (DigiCert CA) including issuing and revocation of externally signed certificates, and Domain Control Validation (DCV) process.
Provide necessary mentoring and training to all certificate owners regarding maintaining certificate security and industry level best practices.
Identify and manage all server (machine) SSH keys on an enterprise level and scope a multi-year project to replace these never expiring credentials with short-lived SSH certificates.
Maintain the life cycle, manage alerting, and potential automation of certificates used by machines.
Design, document, and implement operating procedures that include systematic processes and delegation for the machine identity lifecycle and maintenance tasks.

Preferred Bachelor’s degree in Information Technology/Security, and/or 4-6 years of equivalent work experience (Helpdesk, System Administration, Middleware) with a minimum of 1-3 years of experience as it relates to PKI administration, certificate management using Venafi, with working knowledge of mTLS, SSO, LDAP/Kerberos integrations or equivalent knowledge/experience.
Machine Identity Management goes beyond a solid understanding of Public Key Infrastructure (PKI) administration – which is a basic requirement. This is the next level knowledge or evolution of the inner workings of Machine Identities including, but not limited, to SSH keys, SSH certificates, JWT,JWE, SPIFEE,SPIRE, and other forms of machine identity and access controls.
Strong proficiency in cryptography, cryptographic standards, risk base compliance, and zero-trust.
Knowledge of x509 standards as it relates to digital certificates, SSH keys, and PKI administration.
Working knowledge of authentication and authorization through multifactor (MFA), Mutual TLS (mTLS), single sign-on (SSO), and LDAP/Kerberos integrations using certificates.
Working knowledge of Windows PowerShell scripting used for certificate automation and processing.
Experience with Certificate Management solutions including Venafi, API integrations with Venafi, alerting and automation, and integrations with various other software solutions for certificate issuance and monitoring.
Troubleshooting certificate configuration and TLS issues.

Healthcare (medical, dental, vision)
Basic term and optional term life insurance
Short-term and long-term disability
Pregnancy disability and parental leave
401(k) and employer-funded retirement plan
Paid vacation (from two to five weeks depending on salary grade and tenure)
Up to 11 paid holiday opportunities
Adoption assistance
Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law