Senior Public Key Infrastructure (PKI) Consultant

At EY, you’ll have the chance to build a career as unique as you are, with the global scale, support, inclusive culture and technology to become the best version of you. And we’re counting on your unique voice and perspective to help EY become even better, too. Join us and build an exceptional experience for yourself, and a better working world for all.

Managed Service–IAM MS – PKI MS PKI And Venafi Senior

The PKI Consultant role will be primarily responsible for the support, design, and enhancement of enterprise-level Public Key Infrastructure (PKI) solutions, focusing on Microsoft PKI (Active Directory Certificate Services) and Venafi Trust Protection Platform. The role includes overseeing secure certificate lifecycle management, designing scalable certificate services architecture, and ensuring compliance and governance across internal and external systems. This position requires strong expertise in digital identity, cryptographic practices, and automation of certificate processes.

Key Requirements / Responsibilities:

• Design, implement, and manage Microsoft PKI (ADCS) including Root CA, Subordinate CA, and certificate templates.
• Deploy, configure, and maintain the Venafi Trust Protection Platform for automated certificate lifecycle management.
• Establish policies and governance models for certificate issuance, renewal, revocation, and audit logging.
• Lead troubleshooting efforts for certificate-related issues across endpoints, applications, servers, and network devices.
• Integrate PKI solutions with enterprise infrastructure including Azure, load balancers, firewalls, VPNs, and identity providers.
• Support onboarding of critical applications and devices into Venafi workflows for certificate automation.
• Monitor and manage health and availability of PKI infrastructure, including CRLs, OCSP responders, and AIA locations.
• Participate in incident response and risk mitigation involving PKI systems or expired/compromised certificates.
• Support cryptographic lifecycle management by enforcing standards like key length, algorithm selection, and renewal timelines.
• Provide mentoring and technical leadership to junior team members on PKI best practices.
• Assist in the evaluation and implementation of modern certificate technologies, including short-lived certs and post-quantum crypto readiness.

Relationships:

• Operation Lead / Manager

Qualifications:

Education:

• Bachelor orcollegedegree in related field or equivalent work experience

.

Work Experience:

• 5-9 Years’ Experience

Skills Expertise

• Minimum 5 years of experience designing and managing enterprise-grade PKI systems.
  Expertise in Microsoft ADCS – including Root/Issuing CAs, CRL/AIA configuration, templates, and key archival.
• Strong experience in Venafi Trust Protection Platform – configuration, policy enforcement, and automation.
• Deep understanding of certificate lifecycle management and cryptographic standards (X.509, RSA, ECC).
• Hands-on experience with certificate automation using APIs, PowerShell, or Venafi workflows.
  Familiarity with TLS/SSL protocols, SCEP, EST, and integration with network/security appliances.
• Knowledge of encryption technologies, HSMs, and key management best practices.
• Experience with auditing, compliance, and PKI governance frameworks (CP/CPS).
• Proven ability to troubleshoot certificate authentication issues and root cause certificate failures across platforms.
• Excellent communication and documentation skills to interface with internal stakeholders, vendors, and auditors.
• Experience working in hybrid cloud environments where certificates are used across on-prem and cloud systems.
• Understanding of DevOps integrations for certificate provisioning (e.g., via REST APIs, pipelines).
• Strong attention to detail and the ability to lead high-impact projects independently.

Good to have:

• Familiarity with Azure Key Vault, Azure AD Certificate-Based Authentication, and integration with cloud-native workloads.
• Knowledge of Zero Trust architecture and role of digital certificates in endpoint validation.
• Understanding of advanced certificate use cases like client auth, code signing, document signing.

Certification :

• Venafi Certified Administrator (Good to have)
• Microsoft Identity and Access Administrator (Sc-300) (Good to have)

Work Requirements:

• Willingness to be on call support engineer and work occasional overtime as required
• Willingness to work in 24*7 rotational shifts as required

EY | Building a better working world

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.