IAM KeyCloak Secrets PKI Engineer (Full remote)

IAM KeyCloak Secrets PKI Engineer

️ About the Role

Weare looking for an IAM PKI Engineer to join its internal platform team. In this role, you will design, implement and operate Identity \& Access Management services — including Keycloak, HashiCorp Vault and PKI infrastructure — working closely with the EDP IAM team in an agile, sprint\-based delivery environment.

️ Key Responsibilities

• Implement and maintain Keycloak deployments on VMs, Kubernetes (OpenShift, bare\-metal, GKE) and Docker, including OIDC, OAuth2, SAML and Kerberos/LDAP federation.


• Configure RBAC/ABAC policies, multi\-realm and multi\-tenant setups across hybrid cloud and on\-prem workloads.


• Integrate Keycloak with IPA/LDAP/AD for identity sync, and with Google Identity as an IdP or broker.


• Deploy and operate HashiCorp Vault in production on Linux\-based systems, including HA clusters, Raft storage, seal/unseal mechanisms (Shamir, HSM, cloud KMS).


• Configure Vault for securing Keycloak operational secrets, implementing dynamic secrets and secret rotation policies.


• Set up and manage the Vault PKI secrets engine: internal CAs, intermediates, short\-lived certificate issuance, CRL/OCSP, and automated revocation.


• Integrate PKI with enterprise services such as Kubernetes ingress controllers, load balancers, web servers and VPNs.


• Automate deployment and configuration of Keycloak and Vault using Terraform, Helm and/or Ansible, following IaC and GitOps practices.


• Work on CI/CD integration (GitHub Actions, GitLab CI, Jenkins) for certificate and secret distribution.


• Monitor both platforms with Prometheus and Grafana; handle incident response for expired certificates, Vault unseal failures and IPA migration issues.

• Bachelor's or Master's degree in Computer Science, Information Security, Systems Engineering or a related field.


• In the absence of a degree in a relevant field, demonstrated equivalent professional experience of at least 6 years will be accepted.

• Strong hands\-on knowledge of authentication and authorisation protocols: OIDC, OAuth2, SAML, Kerberos and LDAP.


• Proven experience deploying and managing Keycloak on VM and/or Kubernetes environments.


• Demonstrated experience with HashiCorp Vault in production: HA clusters, Raft storage, seal/unseal configuration (KMS/HSM) and PKI secrets engine operations.


• Experience managing PKI infrastructure: intermediate CAs, role definitions, short\-lived certificate issuance, CRLs and automated revocation.


• Experience automating certificate lifecycle management via Vault Agent, API or CI/CD pipelines, including rotation policies and revocation.


• Experience integrating PKI with enterprise systems (Kubernetes ingress, load balancers, VPN, S/MIME, databases).


• Hands\-on experience with Terraform, Helm and/or ArgoCD for infrastructure automation.


• Experience with Prometheus and Grafana for monitoring; ability to troubleshoot unseal, auth and CRL issues and perform backup \& restore.

• Experience deploying Keycloak on GCP/GKE, including integration with Google Identity and mapping Keycloak roles to GCP IAM roles.


• Knowledge of advanced PKI topics: ACME v2 (DNS\-01 \+ EAB), EST for devices, AIA/CRL/OCSP publishing and stapling, RFC 5280 profiles, SAN encoding and RA delegation.


• Experience with RBAC, audit devices, HSM/KMS for key protection and security compliance practices.


• Familiarity with post\-quantum cryptography (PQC) pilots.


• Fluent in German.


• Experience working in Scrum or other agile frameworks.

• Fluent English (written and spoken).

• Remote \- Occasional travel required.


• Full\-Time

Este anúncio é de indeed. Ver anúncio original ↗