PKI Engineer (ZScaler and CyberArk) - 6 Month Contract - Inside IR35 - Hybrid in London

PKI Engineer (ZScaler and CyberArk) - 6 Month Contract - Inside IR35 - Hybrid in London

Contract Type: Initial 6 month contract (Inside IR35)
Rate: £500 per day
Location: Hybrid in London

Role Overview

A PKI Engineer specialising in Certificate Lifecycle Management (CLM) and Zero Touch PKI (ZTPKI) is responsible for implementing and governing enterprise-wide public key infrastructure, ensuring alignment with security strategy and regulatory requirements. The role delivers scalable certificate management controls including automated life cycle governance, policy-based issuance, and machine identity security across cloud-native and hybrid environments, while driving migration from Legacy PKI platforms to SaaS-based solutions.

Working closely with security, engineering, cloud, and DevOps stakeholders, the PKI Engineer ensures seamless integration across AWS, Azure, and Kubernetes environments, drives PKI automation best practices, and strengthens organisational security posture through improved certificate visibility, compliance controls, and reduced risk of certificate-related outages.

Key Responsibilities:

• Manage end-to-end Zero Touch PKI (ZTPKI) including configuration of certificate issuance policies, templates, trust chains, and HSM-backed key security across enterprise workloads
• Implement and manage CyberArk Certificate Manager (CLM SaaS) to automate certificate discovery, issuance, renewal, revocation, key rotation, and life cycle governance
• Integrate CLM/ZTPKI with cloud platforms (AWS/Azure), Kubernetes (cert-manager), and CI/CD pipelines to enable machine identity security across cloud-native workloads
• Drive migration from Legacy PKI solutions (ADCS, EJBCA) to SaaS PKI, supporting auto-enrollment protocols including SCEP, EST, ACME, and REST APIs
• Monitor certificate inventory, expiry alerts, and compliance posture; lead incident response for certificate-related outages, TLS handshake failures, and PKI chain issues

What You Will Ideally Bring:

• 4+ years of hands-on experience with Venafi SaaS-based tooling including CyberArk Certificate Manager and Zero Touch PKI (ZTPKI)
• Strong understanding of PKI concepts including CA hierarchies, CSR, CRL, OCSP, X.509 certificates, and TLS/mTLS
• Experience with certificate life cycle automation, policy-based issuance, approval workflows, and compliance controls
• Proficiency in API-driven certificate provisioning and automation integrations with PKI solutions
• Knowledge of cloud-native environments (AWS, Azure, Kubernetes) and CI/CD pipeline integration for certificate management