SENIOR SYSTEMS ENGINEER (PKI)

---

Requisition ID: 1161

COMPANY OVERVIEW

Lalaith Astor Technical Consulting House (LATCH) provides technical consulting services to the US Federal Government. We provide dependable high-quality solutions as well as innovative architecture, engineering, and functional designs. Our core values enable us to bring unique viewpoints as we approach our work such as understanding and adopting the client’s mission; delivering technical solutions that are aligned to client goals, objectives, and budgets; empowering clients through systems engineering and technical assistance (SETA) services; and producing high quality, value-driven work products.

At LATCH, you’ll work with clients and a leadership team that empowers our people to think audaciously, welcomes differences, and encourages pride in our work while exposing and solving emerging challenges to meet impactful commitments.

Engage with LATCH on LinkedIn.

JOB SUMMARY

The LATCH Systems Engineer focuses on Public Key Infrastructure technologies, hybrid multi-cloud deployments, machine identity management, and certificate lifecycle management. The Systems Engineer is responsible for the design, implementation, and maintenance of highly secure network systems. They leverage advanced understanding of PKI to support product and development teams with their secure communications requirements. They manage the certificate lifecycle management platform, Windows CA, integrations between Windows CA and other cloud-native certificate management services, implement runbooks and automated workflows, and protect cryptographic keys to reduce the risk of cyber threats. They administer virtual servers in Azure GovCloud and Amazon Web Services. They onboard and provide engineering support for product and development teams to stay updated with the latest security regulations, advisories, alerts, and vulnerabilities pertaining to the organization and its mission.

RESPONSIBILITIES AND DUTIES

Job responsibilities and duties will include, but are not limited to, the following:

• PKI Engineering & Architecture
  • Design, implement, and maintain enterprise PKI solutions, including CA hierarchy, CRLs, OCSP, certificate templates, and lifecycle policies.
  • Engineer secure certificate issuance, renewal, revocation, and trust validation processes across distributed systems and multi-cloud environments.
• Certificate Lifecycle Management & Automation
  • Administer and enhance the enterprise certificate lifecycle management (CLM) solution and machine identity management (MIDM) solution, including workflow configuration, automation, discovery, and policy governance.
  • Develop automated certificate issuance workflows for cloud, on-premise, and hybrid workloads.
  • Integrate CLM/MIDM capabilities with cloud platforms, load balancers, containers, API gateways, and enterprise applications.
• Machine Identity, Cryptography & Secure Communications
  • Engineer and safeguard cryptographic key infrastructure supporting TLS/SSL, mTLS, API authentication, code signing, and secure application communication.
  • Support application and development teams by designing certificate and key-management strategies aligned to modern encryption and identity requirements.
• Cloud & Infrastructure Integration
  • Support certificate operations for services hosted in Azure, AWS, and GCP, including VM-based systems, cloud-native services, and container workloads.
  • Engineer secure certificate automation with cloud key services (Azure Key Vault, AWS KMS, GCP KMS) and enterprise keystores.
• Monitoring, Auditing & Compliance
  • Conduct periodic PKI and Venafi platform audits to identify vulnerabilities, gaps, or lifecycle anomalies.
  • Ensure compliance with federal regulations and standards including NIST 800-53, 800-57, 800-63, FIPS, FedRAMP, and agency-specific security guidelines.
  • Monitor certificate expiration, platform health, CRL/OCSP performance, and operational metrics.
• Troubleshooting & Engineering Support
  • Diagnose complex PKI, TLS handshake, and certificate chain issues across diverse platforms.
  • Support senior security engineers and application teams with advanced debugging, including protocol analysis, logs review, packet captures, and trust validation.
• Documentation & Cross-Team Collaboration
  • Develop and maintain technical documentation, engineering diagrams, policy manuals, and SOPs for PKI and machine identity management.

required qualifications and skills

The selected candidate must have the following qualifications and skills:

• Hands-on experience engineering, operating, and troubleshooting enterprise PKI environments, including CA hierarchy design, subordinate/issuing CAs, and policy enforcement.
• Deep understanding of TLS/SSL, mTLS, X.509 certificate structure, certificate chain building, and trust store management.
• Experience administering and automating an enterprise certificate lifecycle management (CLM) solution or machine identity management (MIDM) solution in production environments.
• Experience operating OCSP responders, CRL distribution points, and configuring certificate revocation behaviors across varied platforms.
• Experience creating and managing certificate templates, key usage/extended key usage (KU/EKU), and cryptographic algorithm policies (RSA, ECC, SHA2/SHA3).
• Proficiency troubleshooting TLS handshake failures, cipher suite mismatches, ALPN negotiation, and protocol version incompatibilities (TLS 1.2, TLS 1.3).
• Experience with secure key management practices, including HSM integration, secure key storage, key wrapping/unwrapping, and key rotation procedures.
• Ability to analyze certificate and cryptographic issues using tools such as OpenSSL, certutil, Keytool, WireShark, SSLLabs, and platform-specific trust diagnostic utilities.
• Experience designing certificate automation for cloud-native systems, including Kubernetes certificate rotation, service mesh mTLS (Istio/Envoy), and cloud load balancer certificate management.

desired qualifications and skills

It is desirable that the candidate has the following qualifications and skills:

• Experience scripting with Python, Bash, or PowerShell to automate certificate runbooks or workflows.
• Familiarity with network security engineering, secure protocols, and secure configuration baselines.
• Experience with certificate automation in Kubernetes, Istio, Envoy, cloud load balancers, or API gateways.
• Knowledge of identity systems such as ADCS, ADFS, Okta, Entra ID, or other ICAM components.
• Understanding of FedRAMP, ISO 27001, GDPR, and related compliance frameworks.
• Experience supporting certificate modernization initiatives for federal agencies.

Bonus points for

• Experience developing custom workflows, API integrations, infrastructure-as-code deployments, or certificate-as-code deployments.
• Hands-on integration of PKI with Zero Trust architectures, mTLS service meshes, or identity-based segmentation.
• Understanding of or experience with PKI-as-a-Service.
• Expertise applying advanced cryptographic concepts such as hardware security modules (HSMs), KMS integration, and secure key lifecycle protection.
• Demonstrated ability to lead certificate remediation or enterprise certificate modernization efforts.

Required Experience

• PKI – 5+ years
• Systems Administration / Systems Engineering – 10+ years

Education

Bachelor’s Degree preferred.

Salary Range

$145,000 – $155,000 Annually

Benefits

• 401(k)
• 401(k) Matching
• Dental Insurance
• Health Insurance
• Paid Time Off
• Parental Leave
• Professional Development Assistance
• Referral Program
• Vision Insurance

EEO STATEMENT

LATCH is an Equal Opportunity Employer. Employment opportunities at LATCH are based on qualifications and capabilities to perform the essential functions of a particular job. All employment opportunities are provided without regard to veteran status, uniformed servicemember status, race, color, religion, sex, sexual orientation, gender identity, age (40 and over), pregnancy (including childbirth, lactation and related medical conditions), national origin or ancestry, citizenship status, physical or mental disability, or genetic information (including testing and characteristics); or any other category protected by federal, state, or local laws.