IAM KeyCloak Secrets PKI Engineer (Full remote)

bridge351

Remoto
IAM KeyCloak Secrets PKI Engineer

 About The Role

Weare looking for an IAM PKI Engineer to join its internal platform team. In this role, you will design, implement and operate Identity & Access Management services — including Keycloak, HashiCorp Vault and PKI infrastructure — working closely with the EDP IAM team in an agile, sprint-based delivery environment.

Key Responsibilities

  • Implement and maintain Keycloak deployments on VMs, Kubernetes (OpenShift, bare-metal, GKE) and Docker, including OIDC, OAuth2, SAML and Kerberos/LDAP federation.
  • Configure RBAC/ABAC policies, multi-realm and multi-tenant setups across hybrid cloud and on-prem workloads.
  • Integrate Keycloak with IPA/LDAP/AD for identity sync, and with Google Identity as an IdP or broker.
  • Deploy and operate HashiCorp Vault in production on Linux-based systems, including HA clusters, Raft storage, seal/unseal mechanisms (Shamir, HSM, cloud KMS).
  • Configure Vault for securing Keycloak operational secrets, implementing dynamic secrets and secret rotation policies.
  • Set up and manage the Vault PKI secrets engine: internal CAs, intermediates, short-lived certificate issuance, CRL/OCSP, and automated revocation.
  • Integrate PKI with enterprise services such as Kubernetes ingress controllers, load balancers, web servers and VPNs.
  • Automate deployment and configuration of Keycloak and Vault using Terraform, Helm and/or Ansible, following IaC and GitOps practices.
  • Work on CI/CD integration (GitHub Actions, GitLab CI, Jenkins) for certificate and secret distribution.
  • Monitor both platforms with Prometheus and Grafana; handle incident response for expired certificates, Vault unseal failures and IPA migration issues.

Mandatory Qualifications

  • Bachelor's or Master's degree in Computer Science, Information Security, Systems Engineering or a related field.
  • In the absence of a degree in a relevant field, demonstrated equivalent professional experience of at least 6 years will be accepted.

Mandatory Experience

  • Strong hands-on knowledge of authentication and authorisation protocols: OIDC, OAuth2, SAML, Kerberos and LDAP.
  • Proven experience deploying and managing Keycloak on VM and/or Kubernetes environments.
  • Demonstrated experience with HashiCorp Vault in production: HA clusters, Raft storage, seal/unseal configuration (KMS/HSM) and PKI secrets engine operations.
  • Experience managing PKI infrastructure: intermediate CAs, role definitions, short-lived certificate issuance, CRLs and automated revocation.
  • Experience automating certificate lifecycle management via Vault Agent, API or CI/CD pipelines, including rotation policies and revocation.
  • Experience integrating PKI with enterprise systems (Kubernetes ingress, load balancers, VPN, S/MIME, databases).
  • Hands-on experience with Terraform, Helm and/or ArgoCD for infrastructure automation.
  • Experience with Prometheus and Grafana for monitoring; ability to troubleshoot unseal, auth and CRL issues and perform backup & restore.

Preferred Experience

  • Experience deploying Keycloak on GCP/GKE, including integration with Google Identity and mapping Keycloak roles to GCP IAM roles.
  • Knowledge of advanced PKI topics: ACME v2 (DNS-01 + EAB), EST for devices, AIA/CRL/OCSP publishing and stapling, RFC 5280 profiles, SAN encoding and RA delegation.
  • Experience with RBAC, audit devices, HSM/KMS for key protection and security compliance practices.
  • Familiarity with post-quantum cryptography (PQC) pilots.
  • Fluent in German.
  • Experience working in Scrum or other agile frameworks.

Languages

  • Fluent English (written and spoken).

Location & Work Model

  • Remote - Occasional travel required.
  • Full-Time

Como aplicar?

Para se candidatar a este emprego, você precisa autorizar em nosso site. Se você ainda não possui uma conta, registre-se.

Veja mais empregos em Lisboa, Lisboa, empregos em Portugal