Job Specifications
A client of Innova Solutions is immediately hiring for an PKI Security Engineer/ICA Security Engineer.
Position type: Contract
Duration: 12 to 18 months
Location: 5 days onsite in a week in Charlotte, NC.
Top Skills
As a PKI Security Engineer/ICA Security Engineer, you will:
5+ years of hands experience with Microsoft Active Directory Certificate Services(ADCS)
3+ years of experience designing, deploying, and operating multi-tier Microsoft Public Key Infrastructure (offline root, issuing CAs) in large/complex environments.
2+ years of Strong PowerShell experience
Details:
Senior PKI Engineer to design, implement, and operate enterprise-grade Public Key Infrastructure (PKI) services with a strong focus on Microsoft Active Directory Certificate Services (AD CS) and Active Directory (AD) integration. Handson implementation and integration knowledge of certificate lifecycle management, CA hierarchy governance, enrollment automation, HSM-backed key protection, CA backup restore, migration and integration with platforms such as Windows Server, Linux, network/security devices, cloud providers, MDM/EPP, and zero-trust tooling. Subject matter expert for cryptographic standards, certificate-based authentication, and PKI security controls across the organization.
Key Responsibilities
Architecture & Design:
Design and maintain enterprise PKI architectures (Root CA, Policy CA, Issuing CA) with offline/air?gapped roots, secure key ceremonies, key usage, and issuance workflows and robust CRL/OCSP distribution.
Integrate PKI with Active Directory (incl. AD forests/domains, AD CS, AIA/CDP locations, GPOs), and Azure AD/Entra ID where applicable (e.g., certificate-based auth).
Engineer solutions for mutual TLS, 802.1X (wired/wireless/VPN), device identity, code signing, S/MIME, BitLocker, and disk/volume encryption certs.
Key sizes, algorithms (RSA, ECC and PQC) encryption and hashing.
Implement HSM-backed key storage for CAs and code signing; lead key ceremonies, disaster recovery designs.
Operations & Automation
Own certificate lifecycle management (issuance, renewal, revocation) including automation via Intune, GPO/Autoenrollment, SCEP/NDES, ACME, or MDM connectors.
Manage CRL/OCSP publication, monitoring, and availability, design highly available, geo-distributed revocation endpoints.
Implement scripting/automation (PowerShell, APIs) for bulk issuance, inventory, renewal, and drift detection. Enabling separation of duties for secure operation of PKI infrastructure
CA backup, restore renewal and migration strategy
Security & Compliance
Apply strong key management practices (FIPS 140-2/140-3), certificate assurance levels, and secure CA hardening baselines.
Regularly perform PKI risk assessments, access reviews, and control testing (e.g., template permissions, EKU misuse, issuance constraints).
Lead root cause analysis and incident response for certificate/PKI-related outages or security events.
Maintain alignment with NIST, CAB Forum, Microsoft Security Baselines, and internal compliance frameworks (e.g., SOX, PCI, HIPAA, ISO 27001) as applicable.
Minimum Qualifications
8+ years in Security Engineering/Identity Infrastructure, including 5+ years hands-on with Microsoft AD CS and enterprise Active Directory with managing CA infra
Proven experience designing, deploying, and operating multi-tier Microsoft PKI (offline root, issuing CAs) in large/complex environments.
Deep knowledge of X.509, CRL/OCSP, EKU/KU, SANs, key algorithms and sizes (RSA/ECC), hashing (SHA-2), and certificate validation paths.
Strong PowerShell and Windows Server administration; GPOs, autoenrollment, templates, AIA/CDP configuration.
Experience with 802.1X/EAP-TLS, TLS/mTLS, VPN auth, and device/user certificate issuance at scale.
HSM experience (e.g., nCipher/Entrust/Thales) for CA key management.
Qualified candidates should APPLY NOW for immediate consideration!
This position is only open to applicants who can be engaged on a W-2 basis.
Please hit APPLY to provide the required information, and we will be back in touch as soon as possible.
We are currently interviewing to fill this and other similar positions. If this role is not a fit for you, we do offer a referral bonus program for referrals that we successfully place with our clients, subject to program guidelines. ASK ME HOW.
Thank you!
Balbir Rana
+1 678-373-4463
brana@innovasolutions.com
Pay Range And Benefits
Pay Range*: $72 - $77 per hour
Pay range offered to a successful candidate will be based on several factors, including the candidate's education, work experience, work location, specific job duties, certifications, etc.
Benefits: Innova Solutions offers benefits( based on eligibility) that include the following: Medical & pharmacy coverage, Dental/vision insurance, 401(k), Health saving account (HSA) and Flexible spending account (FSA), Life Insurance, Pet Insurance, Short term and Long term Disability, Accident & Critical illness coverage, Pre