Staff PKI Engineer


Austin, TX, USA

Full time


Mar 4

What to Expect

We are currently looking for an experienced PKI Engineer to join our team who is well versed in the complexities of a large enterprise PKI design. Advanced technical depth in Active Directory Certificate Services (ADCS), Hardware Security Modules, Certificate Lifecycle Management, and the multitude of x.509 certificate use-cases is a hard requirement for this position. You will be responsible for the design, implementation, and administration of several production PKIs that are globally distributed. You will utilize extensive knowledge in server systems, such as ADCS, Active Directory, Azure Active Directory, and Windows Server (2008 through 2019) primarily as well as skill in Linux (CentOS and Ubuntu) secondarily to support the certificate lifecycle of most major device types, operating system flavors, and certificate use cases (e.g. TLS, Code Signing, file encryption, user/device authentication, etc.). Workstation/Mobile support of certificate key/trust stores for Windows, macOS, iOS, and android. Working knowledge of PowerShell, Bash, Python, and/or DOS scripting will be required to automate tasks. Must have strong skills in creating and maintaining highly available services, performance monitoring, troubleshooting, and extensive technical documentation.

What You’ll Do

  • Technical documentation to include Physical/Logical Solution Design, CP/CPS, and DR/BCP documentation.
  • Design, implement, and maintain ADCS Roles running Windows Server 2016/2019 as per documented configuration procedures and standards.
  • Provide architectural input for all strategies, standards, governance, policy, and automation as it relates to PKI.
  • Design, implement, and maintain Hardware Security Module (HSM) solutions in a distributed global infrastructure. 
  • Design and implement monitoring for availability, performance, alerting, and anomaly detection using industry tools such as Splunk and Grafana.
  • 99.999% uptime for CRL and OCSP Services.
  • Advance troubleshooting of interconnecting technologies as related to PKI to support critical outage incidents, root cause analysis, and after-action reporting.
  • Triage incoming requests for consultations and SSL certificates that require level 3 engineering support.
  • Engineering and architectural planning/implementation of various certificate enrollment methods for major device types, os’s and 
  • End-user and application owner support in certificate enrollment and key management.
  • Triage service issues and production impairment within the SLA timelines and provide detailed post-mortem reports as required.
  • Develop and augment automation through scripting or programming
  • Work collaboratively with staff from partner teams
  • Document tasks, procedures, and environments in the configuration and maintenance of PKI.
  • Solid understanding of certificate and security best practices and the ability to implement them.
  • Must participate in 24/7 on-call rotation.

What You’ll Bring

  • Subject matter expertise in the various components that make up an enterprise PKI including CAs, validation services, HSMs, and all other processes, components, and roles that form the PKI framework.
  • Substantial experience with enterprise HSM systems from major vendors such as SafeNet, Utimaco, and Entrust.
  • High working knowledge of the various stages of the Certificate Lifecycle and extensive experience implementing solutions to solve each stage for various certificate use cases.
  • BS in Computer Science preferred or related work experience.
  • At least 5 years of experience with ADCS and PKI in a large enterprise setting with demonstrated knowledge of related best practices and configurations.
  • Experience with Microsoft Windows Server configuration, deployment, and troubleshooting.
  • Experience with various technologies that configure TLS/SSL and how to configure them (e.g. Apache, Nginx, IIS, F5).
  • Experience with different enrollment methods and the vendor solutions used to request & deploy certificates to end-entity devices (e.g. MS Autoenrollment, SCEP, XCEP/WSTEP, NDES, Intune, Airwatch, etc.).
  • Demonstrable ability to solve problems and automate tasks programmatically.
  • Experience with support of mission-critical, large-scale operations, that run 24x7.
  • Effective verbal and written communication skills.
  • Excellent customer support skills in complex topics, such as PKI and cryptography.
  • Understanding of standard cryptography concepts and best practices.
  • A desire to grow into and passion for in-depth PKI and certificate implementations in a fast-paced environment.
  • Must be willing to be onsite full time
  • Additional locations: Fremont, CA, Buffalo, NY, Sparks, NV 

Compensation and Benefits


Along with competitive pay, as a full-time Tesla employee, you are eligible for the following benefits at day 1 of hire:

  • Aetna PPO and HSA plans > 2 medical plan options with $0 payroll deduction
  • Family-building, fertility, adoption and surrogacy benefits
  • Dental (including orthodontic coverage) and vision plans, both have options with a $0 paycheck contribution
  • Company Paid (Health Savings Account) HSA Contribution when enrolled in the High Deductible Aetna medical plan with HSA
  • Healthcare and Dependent Care Flexible Spending Accounts (FSA)
  • LGBTQ+ care concierge services
  • 401(k) with employer match, Employee Stock Purchase Plans, and other financial benefits
  • Company paid Basic Life, AD&D, short-term and long-term disability insurance
  • Employee Assistance Program
  • Sick and Vacation time (Flex time for salary positions), and Paid Holidays
  • Back-up childcare and parenting support resources
  • Voluntary benefits to include: critical illness, hospital indemnity, accident insurance, theft & legal services, and pet insurance
  • Weight Loss and Tobacco Cessation Programs
  • Tesla Babies program
  • Commuter benefits
  • Employee discounts and perks program

Tesla is an Equal Opportunity / Affirmative Action employer committed to diversity in the workplace. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, age, national origin, disability, protected veteran status, gender identity or any other factor protected by applicable federal, state or local laws.

Tesla is also committed to working with and providing reasonable accommodations to individuals with disabilities. Please let your recruiter know if you need an accommodation at any point during the interview process.

For quick access to screen reading technology compatible with this site click here to download a free compatible screen reader (free step by step tutorial can be found here). Please contact for additional information or to request accommodations.

Privacy is a top priority for Tesla. We build it into our products and view it as an essential part of our business. To understand more about the data we collect and process as part of your application, please view our Tesla Talent Privacy Notice

Apply for this position Back to job

You must be logged in to to apply to this job.


Your application has been successfully submitted.

Please fix the errors below and resubmit.

Something went wrong. Please try again later or contact us.

Personal Information


View resume