Principal Compliance Engineer-PKI

About The Position

Requirements

• 8+ years of hands-on engineering experience in PKI systems, applied cryptography, or security infrastructure with proven technical leadership and strong technical background in languages such as Go, Python, Java, or C++
• Deep expertise in PKI architecture including X.509 certificate structures, ASN.1 encoding, certificate chain validation, HSM operations, and cryptographic primitives
• Proven experience translating CA/Browser Forum Baseline Requirements into technical specifications, including controls for key generation, certificate issuance, and audit logging
• Systems engineering background with experience in distributed systems, API design, database architecture, and cloud infrastructure (AWS/GCP/Azure)
• Strong ability to define requirements for PKI protocols (ACME, Certificate Transparency, OCSP/CRL) and translate compliance requirements into technical specifications, detailed engineering requirements, and test automation scripts

Nice To Haves

• Advanced degree in Computer Science, Cryptography, Mathematics, or Electrical Engineering
• Experience researching and evaluating post-quantum cryptographic algorithms (NIST PQC finalists, hybrid modes)
• Security certifications such as CISSP, CEH, or specialized cryptography credentials
• Experience with security audit processes (WebTrust for CAs, ETSI EN 319 411) from a technical implementation perspective
• Contributions to PKI-related projects (Boulder, cert-manager, OpenSSL, BoringSSL, etc.)
• Experience defining requirements for high-availability systems design, hardware security modules (HSMs), and secure key ceremony procedures
• Knowledge of DevSecOps practices, CI/CD pipelines for security-critical systems, and infrastructure automation (Terraform, Kubernetes, Ansible)
• Familiarity with cryptographic libraries (OpenSSL, BoringSSL, PKCS#11) and performance considerations for cryptographic operations
• Experience developing test automation scripts for compliance validation

Responsibilities

• Lead technical representation in the CA/Browser Forum and other industry standards bodies, contributing to protocol specifications and requirements development
• Translate CAB Forum requirements into detailed technical specifications and engineering requirements for development teams
• Define requirements for automated compliance validation systems and monitoring infrastructure
• Conduct deep-dive technical assessments of CA infrastructure, identifying architectural gaps, security vulnerabilities, and performance bottlenecks
• Define technical requirements for the evolution of certificate issuance pipelines, HSM integrations, and cryptographic key management systems
• Specify requirements for automated testing frameworks for compliance validation, including CT log integration, OCSP responder infrastructure, and revocation mechanisms
• Develop automation scripts for compliance testing and validation processes
• Define SLIs/SLOs focused on certificate issuance latency, system availability, and compliance metrics
• Document requirements for infrastructure-as-code solutions for CA deployment, disaster recovery, and high-availability architectures
• Research and define requirements for post-quantum cryptographic algorithms (e.g., ML-KEM, ML-DSA, SLH-DSA) and hybrid certificate chains
• Develop migration strategies and technical requirements for transitioning legacy cryptographic systems to next-generation algorithms
• Create technical specifications for proof-of-concept implementations for emerging standards (ACME extensions, certificate transparency v2, delegated credentials)
• Collaborate with cryptography researchers to evaluate algorithm performance, key sizes, and implementation trade-offs
• Define the technical requirements roadmap for CA platform capabilities including certificate lifecycle automation, API development, and integration frameworks
• Specify requirements for scalable APIs and automation tools for certificate issuance, renewal, and revocation workflows
• Document specifications for self-service platforms and tools to reduce manual intervention in certificate operations
• Develop automated testing scripts and define requirements for continuous compliance monitoring systems with automated remediation capabilities
• Partner with security engineering teams on threat modeling, secure coding practices, and vulnerability management
• Lead architecture reviews and technical design sessions with cross-functional engineering teams, providing requirements and guidance
• Establish technical documentation standards and compliance engineering requirements for CA-related systems
• Mentor engineers on PKI concepts, cryptographic implementations, and compliance engineering patterns

Benefits

• paid time off
• retirement savings (e.g., 401k, pension schemes)
• bonus/incentive eligibility
• equity grants
• participation in our employee stock purchase plan
• competitive health benefits
• other family-friendly benefits including parental leave