Security Engineer PKI & Cryptography

Job Title: Security Engineer PKI & Cryptography

Location: ONSITE 5 days per week

Duration: Long Term Contract

• Design and implement automated certificate lifecycle management across Archers enterprise network including issuance renewal revocation and monitoring for TLS/SSL code signing device authentication user certificates and avionics system certificates.
• Architect and maintain the internal Certificate Authority (CA) hierarchy and Hardware Security Module (HSM) infrastructure ensuring strict adherence to secure key custody and lifecycle multi-party authorization FIPS 140-2/140-3 compliance and proper key ceremony procedures.
• Establish and maintain governance documentation including Certificate Policy (CP) and Certification Practice Statement (CPS) ensuring alignment with CMMC Level 2 DO-326A airworthiness security requirements and operational workflows.
• Implement certificate transparency logging OCSP (Online Certificate Status Protocol) responders and CRL (Certificate Revocation List) distribution infrastructure to support real-time certificate validation and revocation checking.
• Design and implement secure firmware and code signing pipelines for avionics software including ARINC 615/615A dataloader authentication loadable software part (LSP) signing and software distribution security controls per DO-326A requirements.
• Establish digital signature authority and trust chains for safety-critical software components ensuring compliance with DO-178C certification requirements and secure avionics software lifecycle management.
• Develop and enforce trust policies for avionics systems including key generation secure storage key rotation procedures destruction protocols and hardware-based key protection for flight-critical code-signing operations.
• Secure field dataloader operations used by maintenance technicians for aircraft software updates implementing strong authentication authorization controls and audit logging for software loading activities.
• Implement automated monitoring and alerting for certificate expiration weak cryptographic algorithms rogue certificates and trust chain validation failures across all enterprise systems cloud environments and connected avionics test systems.
• Secure service-to-service authentication by implementing mutual TLS (mTLS) service mesh certificate management and short-lived certificate issuance for microservices Kubernetes workloads and API endpoints.
• Integrate PKI services with existing identity and access management systems including Okta (for MFA/Federation) and Active Directory enabling certificate-based authentication and strengthening zero-trust architecture.
• Collaborate with IT and infrastructure teams to implement PKI-backed controls for endpoint security VPN authentication (GlobalProtect) and device attestation across Mac and Windows environments.

Compliance and Governance

• Facilitate external compliance audits (CMMC SOX ITAR) and conduct internal readiness assessments to ensure cryptographic controls meet NIST SP 800-171 Identification and Authentication (IA) requirements SOX ITGC expectations and DO-326A airworthiness security standards.
• Develop and maintain security policies procedures and standards for cryptographic key management certificate usage algorithm selection and trust establishment across both IT and operational technology (OT) environments.
• Provide technical guidance and training to engineering IT DevOps and security teams on PKI best practices secure code signing workflows certificate standards and cryptographic policy enforcement.
• Stay current with emerging PKI threats attack vectors and security best practices including certificate abuse key compromise scenarios quantum-resistant cryptography developments and post-quantum migration strategies relevant to long-lifecycle aviation systems.

Required Qualification

• 5 years of experience in PKI engineering cryptographic operations or related security roles with a minimum of 2 years designing and implementing production PKI systems at an architect or senior engineer level.
• Hands-on experience designing and operating enterprise PKI solutions such as Microsoft Certificate Services OpenSSL-based CAs HashiCorp Vault PKI or cloud-native certificate management services (AWS Certificate Manager AWS Private CA Google Certificate Authority Service).
• Deep technical understanding of cryptographic standards and protocols including X.509 certificate structure PKCS standards (PKCS#1 PKCS#7 PKCS#11 PKCS#12) TLS 1.2/1.3 mutual TLS (mTLS) certificate chain validation trust anchor management and key exchange mechanisms.
• Demonstrated experience designing and scaling secure code signing and firmware signing pipelines for embedded systems IoT devices or critical infrastructure including signature verification tamper detection and secure boot processes.
• Proven track record defining and enforcing cryptographic trust policies including key generation standards secure key storage requirements key rotation procedures key backup and recovery processes and secure key destruction protocols.

Technical Skills

• Extensive experience designing and operating Hardware Security Modules (HSMs) preferably Thales Luna Entrust nShield or AWS CloudHSM including FIPS 140-2 Level 3 compliance requirements key ceremony execution multi-party authorization (M of N) and HSM high availability configurations.
• Expertise in automating certificate lifecycles using industry-standard protocols (ACME SCEP EST) and scripting languages (Python PowerShell Go Bash) to integrate PKI services with CI/CD pipelines infrastructure-as-code and orchestration platforms.
• Strong understanding of NIST SP 800-171 Rev 2 and CMMC Level 2 requirements specifically IA family controls (IA.L2-3.5.1 through IA.L2-3.5.11) SC family cryptographic controls (SC.L2-3.13.8 SC.L2-3.13.11) and audit/accountability requirements (AU family).
• Experience integrating PKI with Identity and Access Management (IAM) platforms such as Okta (SAML federation MFA) Microsoft Active Directory (certificate-based authentication smart card logon) and Privileged Access Management (PAM) solutions like Delinea/CyberArk.
• Professional Qualities
  • Ability to work cross-functionally with diverse teams including hardware engineers software developers DevOps engineers security operations IT infrastructure compliance and executive leadership.
  • Excellent communication skills to translate complex PKI architecture cryptographic requirements and risk scenarios to both technical teams and non-technical stakeholders including executives and auditors.
  • Strong problem-solving abilities with a security-first mindset anticipating potential vulnerabilities in cryptographic implementations certificate management workflows and trust establishment processes.
  • Meticulous attention to detail in managing cryptographic keys certificate policies and security procedures where errors can have significant operational and safety impacts.
  • Self-directed and proactive in identifying security gaps proposing solutions and driving implementation in a fast-paced startup environment with evolving requirements.

Preferred Qualifications

• Advanced PKI Experience
• Hands-on experience architecting and implementing certificate-based Zero Trust Architecture (ZTA) including device attestation workload identity continuous certificate verification and micro-segmentation using certificate-based authentication.
• Background in post-quantum cryptography (PQC) evaluation NIST PQC standardization efforts (ML-KEM ML-DSA SLH-DSA) hybrid cryptographic approaches and migration planning for transitioning long-lifecycle aviation systems to quantum-resistant algorithms.
• Experience with certificate abuse detection SSL/TLS interception and inspection techniques certificate transparency (CT) log monitoring cryptographic attack pattern identification and incident response for PKI compromise scenarios.
• Aerospace and Compliance
• Familiarity with aviation cybersecurity standards including DO-326A/ED-202A (Airworthiness Security Process Specification) DO-355/ED-204 (Information Security Guidance for Continuing Airworthiness) and DO-356/ED-203 (Airworthiness Security Methods and Considerations).
• Understanding of avionics software development standards (DO-178C) and how cryptographic controls integrate with safety-critical software certification processes.
• Experience conducting or supporting CMMC Level 2 assessments NIST SP 800-171 compliance audits or other DoD/federal security assessments focused on cryptographic and certificate management controls.
• Direct experience with additional compliance frameworks such as ISO/IEC 27001 (Information Security Management) PCI-DSS (payment card PKI requirements) or FedRAMP (federal cloud authorization).