<p>Job Specification: Senior PKI (Public Key Infrastructure) and Cryptography Engineer</p> <p>Job Overview</p> <ul> <li>We are seeking a Senior PKI and Cryptography Engineer to design, implement, and operate enterprise certificate and cryptographic services across our hybrid, multi-cloud environment. </li><li>The role owns secure, full lifecycle certificate management - discovery, issuance, renewal, rotation, and revocation - and delivers integrations across cloud platforms, endpoints, network and security devices, and application stacks. </li><li>This is a hands-on role for a self-starter who can scope and deliver complex initiatives independently, automate aggressively to eliminate manual toil, and partner across security, infrastructure, identity, and DevOps teams. </li><li>You will set cryptographic standards, build the automation that enforces them, and shape a modern PKI program that supports both traditional infrastructure and cloud-native, zero-trust use cases. </li></ul> <p>Key Responsibilities:</p> <ul> <li>Architect and operate enterprise PKI services, including offline root, policy, and issuing CA tiers with HSM-backed key protection. </li><li>Implement and manage full certificate lifecycle automation across cloud, on-premises, endpoint, and network domains. </li><li>Deploy and operate certificate lifecycle management platforms such as Keyfactor and Venafi. </li><li>Design strong authentication solutions using smart cards, YubiKey, and identity certificates for workforce, privileged users, and machine identities. </li><li>Define and enforce cryptographic standards and key management policies aligned to NIST, FIPS, and applicable compliance frameworks. </li><li>Lead incident response and remediation for certificate-related outages or compromise scenarios. </li><li>Act with integrity, professionalism, and personal responsibility to uphold the firm's respectful and courteous work environment. </li></ul> <p>Required Qualifications:</p> <ul> <li>Minimum seven years of recent experience in cybersecurity or infrastructure engineering, with at least four years focused on PKI and certificate management in large enterprise environments. </li><li>Hands-on experience designing and operating multi-tier internal PKI (offline root, policy, issuing CAs) using Microsoft ADCS, EJBCA, or equivalent. </li><li>Proven experience implementing certificate lifecycle automation via ACME, SCEP, EST, CMP, or REST APIs at scale. </li><li>Strong experience with smart cards, YubiKey, and identity certificates (PIV, FIDO2/WebAuthn, certificate-based authentication). </li><li>Experience integrating PKI with AWS, Azure, and GCP, plus endpoints, network devices, load balancers, and MDM platforms. </li><li>Experience operating HSMs (Thales, Entrust, CloudHSM, Azure Managed HSM) with FIPS-aligned key ceremony and controls. </li></ul> <p>Preferred:</p> <ul> <li>Bachelor's degree from an accredited college or university in computer science, information security, or related discipline; CISSP, CISM, or GIAC certifications a plus. </li><li>Hands-on experience with Keyfactor (Command, EJBCA) and/or Venafi (TLS Protect, Trust Protection Platform). </li><li>Experience integrating PKI with DevOps toolchains (HashiCorp Vault, cert-manager, service mesh, CI/CD pipelines). </li><li>Familiarity with regulated environments (NIST, FIPS 140-2/3, PCI-DSS, SOX) and crypto-agility / post-quantum readiness. </li></ul> <p>Skills:</p> <ul> <li>PKI and Cryptography: X.509, RFC 5280, certificate profiles, CRL/OCSP, CA/B Forum baseline requirements; RSA, ECDSA, AES, SHA-2/3, TLS 1.2/1.3, mTLS, S/MIME, code signing. </li><li>Identity Certificates and Strong Authentication: Smart cards (PIV/CAC), YubiKey (PIV, FIDO2, OpenPGP), Windows Hello for Business, integration with Active Directory, Entra ID, and Okta. </li><li>Certificate Lifecycle Management: Hands-on with Keyfactor and Venafi preferred, plus ACME, SCEP, EST, CMP, and REST-based enrollment workflows. </li><li>Cloud and Platform Integration: AWS (ACM, Private CA, KMS), Azure (Key Vault, Managed HSM), GCP (CAS, KMS), Kubernetes cert-manager, and service mesh mTLS. </li><li>DevOps and Automation: Terraform, Ansible, CI/CD pipelines (Jenkins, GitHub Actions, Azure DevOps), and Git-based workflows. </li><li>Scripting and Programming: Proficiency in at least one of Python, PowerShell, Go, or Bash for tooling and API integrations. </li></ul> <p>Professional Skills:</p> <ul> <li>Self-starter with strong ownership and the ability to drive initiatives end-to-end </li></ul> <p>KPMG LLP ("KPMG") seeks a contractor in the United States to provide service to KPMG through one of our contracted employer/agency service providers. All applicants for any KPMG role are expected to act with integrity, professionalism, and personal responsibility to uphold the firm's respectful and courteous work environment. All applicants must be authorized to work in the U.S. without the need for employment-based visa sponsorship now or in the future. KPMG LLP will not sponsor applicants for U.S. work visa status for this opportunity (no sponsorship is available for H-1B, L-1, TN, O-1, E-3, H-1B1, F-1, J-1, OPT, CPT or any other employment-based visa).</p> <p>Nothing herein shall be deemed to create an employer-employee relationship between contractor and KPMG, nor shall contractor be considered a representative or agent of KPMG.</p> <p>KPMG LLP and its subsidiaries comply with all local/state regulations in regard to displaying pay rate ranges. The pay rate range(s) displayed is/are specifically for those contracted who will perform work in or reside in the location(s) listed, if selected for the role. Pay is determined based on a variety of factors including market data, ranges, applicant's skills and prior relevant experience, certain degrees and certifications (e.g. JD, technology), and specific location, for example. Additionally, applicants may be required to apply and become employed by a service provider utilized by KPMG, and final pay rate(s) and/or eligibility for additional benefits may be determined by such provider.</p> <p>KPMG LLP, its subsidiaries, and its agency service providers (including, but not limited to, MBO Partners Inc., Magnit LLC, and TalentBurst Inc.) are equal opportunity employers/contractors. All qualified applicants are considered without regard to race, color, creed, religion, age, sex/gender, national origin, ancestry, citizenship status, marital status, sexual orientation, gender identity or expression, disability, physical or mental handicap unrelated to ability, pregnancy, veteran status, unfavorable discharge from military service, genetic information, or other legally protected status.</p> <p>Los Angeles County applicants: Material job duties for this position are listed above. Criminal history may have a direct, adverse, and negative relationship with some of the material job duties of this position. These include the duties and responsibilities listed above, as well as the abilities to adhere to company policies, exercise sound judgment, effectively manage stress and work safely and respectfully with others, exhibit trustworthiness, and safeguard business operations and company reputation. Pursuant to the California Fair Chance Act, Los Angeles County Fair Chance Ordinance for Employers, Fair Chance Initiative for Hiring Ordinance, and San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.</p>