Senior PKI / Certificate Management Engineer [REMOTE

Job Description
BAE Systems, Inc. is seeking a Senior PKI / Certificate Management Engineer to join our Identity Services organization, supporting the Directory Services, Certificate Management, and Privileged Access Management (DCP) team. This strategic role focuses on defining and implementing enterprise-wide standards and best practices for PKI enterprise while collaborating across various departments and IT functions.
As a PKI Engineer, you will be responsible for the governance, engineering, and maintenance of our PKI environment. You'll lead initiatives around identity modernization, enforce security and compliance standards, and work closely with stakeholders to implement access controls and authentication mechanisms. This is a high-impact, cross-functional role for someone with deep technical expertise and strong communication skills.
The ideal candidate has deep hands-on experience with Microsoft PKI, strong Active Directory fundamentals, and a background in automating certificate lifecycle management in highly regulated environments.
Responsibilities Include:

• Design, implement, and support Active Directory Certificate Services (ADCS), including root and issuing Certificate Authorities (CAs)
• Manage and maintain PKI infrastructure, including:
  • Certificate Authorities (CAs)
  • Online Responders (OCSP)
  • CRL distribution points
• Support external/public certificates (e.g., Sectigo, DigiCert, GoDaddy)
• Administer and integrate Hardware Security Modules (HSMs) for private key protection
• Ensure cryptographic standards and key management practices align with compliance requirements
• Leverage strong Active Directory expertise to support PKI operations:
  • Certificate templates
  • Group Policy
  • Auto-enrollment
  • Service accounts and permissions
• Troubleshoot complex identity and authentication issues related to certificates and smart cards
• Administer and enhance Venafi Trust Protection Platform / CyberArk Certificate Manager
• Support certificate discovery, policy enforcement, and automation
• Integrate certificate management platforms with enterprise tooling
• Support smart card infrastructure and credential issuance
• Administer Intercede MyID Credential Management System (CMS)
• Participate in incident response, root cause analysis, and continuous improvement efforts
• Ensure PKI operations align with CMMC, NIST (800-53, 800-171), and other regulatory frameworks
• Support audits and compliance reviews related to cryptographic services

Required Education, Experience, & Skills

• 5+ years of hands-on experience supporting Microsoft ADCS / PKI
• Strong Active Directory administration experience (GPOs, permissions, service accounts)
• Experience managing OCSP responders and CRLs
• Hands-on experience with Hardware Security Modules (HSMs)
• Experience with certificate lifecycle management
• Strong written and verbal communication skills; capable of working with cross-functional teams.
• Bachelor's degree in CS, IT or an Engineering discipline

Preferred Education, Experience, & Skills

• PowerShell scripting experience for automation and operational efficiency
• Experience with implementing monitoring, alerting, and reporting using Splunk
• Visio experience for architecture and process documentation
• Experience operating in regulated or compliance-driven environments
• Experience with Venafi Trust Protection Platform / CyberArk Certificate Manager
• Experience with Intercede MyID or other smart card CMS platforms
• External/public certificate management (Sectigo, DigiCert, GoDaddy)
• GoDaddy domain registration and DNS fundamentals
• Experience using ServiceNow for incident/change/request workflows
• Familiarity with CMMC, NIST, or similar compliance frameworks
• Experience supporting Windows Hello for Business, smart card logon, or certificate-based authentication
• Experience with Azure Key Vault
• Experience modernizing or automating legacy PKI environments
• Proficiency in utilizing tools such as Certutil and/or OpenSSL to create, analyze, and manage digital certificates, Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) responses, including configuration and management of distribution points.
• Interfacing with internally hosted Certificate Authorities and upgrading and deploying PKI to all environments
• CompTIA Security+ or CISSP
• Master's degree in CS, IT or an Engineering discipline

Pay Information
Full-Time Salary Range: $115779 - $196825
Please note: This range is based on our market pay structures. However, individual salaries are determined by a variety of factors including, but not limited to: business considerations, local market conditions, and internal equity, as well as candidate qualifications, such as skills, education, and experience.
Employee Benefits: At BAE Systems, we support our employees in all aspects of their life, including their health and financial well-being. Regular employees scheduled to work 20+ hours per week are offered: health, dental, and vision insurance; health savings accounts; a 401(k) savings plan; disability coverage; and life and accident insurance. We also have an employee assistance program, a legal plan, and other perks including discounts on things like home, auto, and pet insurance. Our leave programs include paid time off, paid holidays, as well as other types of leave, including paid parental, military, bereavement, and any applicable federal and state sick leave. Employees may participate in the company recognition program to receive monetary or non-monetary recognition awards. Other incentives may be available based on position level and/or job specifics.
About BAE Systems, Inc.
BAE Systems, Inc. is the U.S. subsidiary of BAE Systems plc, an international defense, aerospace and security company which delivers a full range of products and services for air, land and naval forces, as well as advanced electronics, security, information technology solutions and customer support services. Improving the future and protecting lives is an ambitious mission, but it's what we do at BAE Systems. Working here means using your passion and ingenuity where it counts - defending national security with breakthrough technology, superior products, and intelligence solutions. As you develop the latest technology and defend national security, you will continually hone your skills on a team-making a big impact on a global scale. At BAE Systems, you'll find a rewarding career that truly makes a difference.
This position will be posted for at least 5 calendar days. The posting will remain active until the position is filled, or a qualified pool of candidates is identified.