IAM KeyCloak Secrets PKI Engineer (Full remote)

IAM KeyCloak Secrets PKI Engineer

🏛️ About the Role

Weare looking for an IAM PKI Engineer to join its internal platform team. In this role, you will design, implement and operate Identity & Access Management services — including Keycloak, HashiCorp Vault and PKI infrastructure — working closely with the EDP IAM team in an agile, sprint-based delivery environment.

🛠️ Key Responsibilities

• Implement and maintain Keycloak deployments on VMs, Kubernetes (OpenShift, bare-metal, GKE) and Docker, including OIDC, OAuth2, SAML and Kerberos/LDAP federation.

• Configure RBAC/ABAC policies, multi-realm and multi-tenant setups across hybrid cloud and on-prem workloads.

• Integrate Keycloak with IPA/LDAP/AD for identity sync, and with Google Identity as an IdP or broker.

• Deploy and operate HashiCorp Vault in production on Linux-based systems, including HA clusters, Raft storage, seal/unseal mechanisms (Shamir, HSM, cloud KMS).

• Configure Vault for securing Keycloak operational secrets, implementing dynamic secrets and secret rotation policies.

• Set up and manage the Vault PKI secrets engine: internal CAs, intermediates, short-lived certificate issuance, CRL/OCSP, and automated revocation.

• Integrate PKI with enterprise services such as Kubernetes ingress controllers, load balancers, web servers and VPNs.

• Automate deployment and configuration of Keycloak and Vault using Terraform, Helm and/or Ansible, following IaC and GitOps practices.

• Work on CI/CD integration (GitHub Actions, GitLab CI, Jenkins) for certificate and secret distribution.

• Monitor both platforms with Prometheus and Grafana; handle incident response for expired certificates, Vault unseal failures and IPA migration issues.

✅ Mandatory Qualifications

• Bachelor's or Master's degree in Computer Science, Information Security, Systems Engineering or a related field.

• In the absence of a degree in a relevant field, demonstrated equivalent professional experience of at least 6 years will be accepted.

✅ Mandatory Experience

• Strong hands-on knowledge of authentication and authorisation protocols: OIDC, OAuth2, SAML, Kerberos and LDAP.

• Proven experience deploying and managing Keycloak on VM and/or Kubernetes environments.

• Demonstrated experience with HashiCorp Vault in production: HA clusters, Raft storage, seal/unseal configuration (KMS/HSM) and PKI secrets engine operations.

• Experience managing PKI infrastructure: intermediate CAs, role definitions, short-lived certificate issuance, CRLs and automated revocation.

• Experience automating certificate lifecycle management via Vault Agent, API or CI/CD pipelines, including rotation policies and revocation.

• Experience integrating PKI with enterprise systems (Kubernetes ingress, load balancers, VPN, S/MIME, databases).

• Hands-on experience with Terraform, Helm and/or ArgoCD for infrastructure automation.

• Experience with Prometheus and Grafana for monitoring; ability to troubleshoot unseal, auth and CRL issues and perform backup & restore.

⭐ Preferred Experience

• Experience deploying Keycloak on GCP/GKE, including integration with Google Identity and mapping Keycloak roles to GCP IAM roles.

• Knowledge of advanced PKI topics: ACME v2 (DNS-01 + EAB), EST for devices, AIA/CRL/OCSP publishing and stapling, RFC 5280 profiles, SAN encoding and RA delegation.

• Experience with RBAC, audit devices, HSM/KMS for key protection and security compliance practices.

• Familiarity with post-quantum cryptography (PQC) pilots.

• Fluent in German.

• Experience working in Scrum or other agile frameworks.

🌐 Languages

• Fluent English (written and spoken).

📍 Location & Work Model

• Remote - Occasional travel required.

• Full-Time