Senior PKI engineer

We’re building a world of health around every individual — shaping a more connected, convenient and compassionate health experience. At CVS Health®, you’ll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger – helping to simplify health care one person, one family and one community at a time.

Position Summary

As a PKI Engineer on the CVS Health PKI Engineering team, you will design, build, and operate the certificate lifecycle management infrastructure that secures one of the largest healthcare enterprises in the United States. You will work across two business units (CVS and Aetna), managing a combined estate of large certificates spanning internal, retail, and partner-facing applications.

Key Responsibilities

Certificate Operations & Automation

• Engineer and maintain PowerShell and Python automation for certificate lifecycle operations: issuance, renewal, retirement, and reporting.
• Own and enhance the daily PKI operational reporting for certificate health monitoring across the enterprise.
• Automate certificate automation and governance workflows, including bulk operations across Venafi TPP REST APIs.
• Drive private chain adoption across application teams, targeting full migration off public CA chains for internal workloads.
• Manage Digicert Certificate authority and Digicert one Certificate lifecycle management

Legacy Decommissioning & CA Management

• Execute the Legacy MSCA shutdown plan
• Track and remediate certificates tied to the Legacy CA expiration (Feb 2027 hard deadline).

Security, Compliance & Architecture

• Maintain Zero Trust alignment across all PKI services: mTLS enforcement, workload identity, client authentication policies.
• Support HIPAA, PCI-DSS, and SOX audit readiness through certificate inventory governance, expiration tracking, and compliance reporting.
• Contribute to PQC readiness planning: crypto-agility assessments, hybrid certificate testing, and algorithm migration roadmaps.
• Collaborate with network, application, and cloud teams to resolve certificate-related incidents and architecture reviews.

• 5+ years of hands-on PKI/CLM engineering experience in an enterprise environment (10,000+ certificates under management).
• Deep working knowledge of X.509 certificate standards, CA hierarchies (root, intermediate, issuing), and certificate chain validation.
• Production experience with at least one enterprise CLM platform: Venafi TPP, AppViewX, Keyfactor, or CyberArk (formerly Venafi).
• Strong scripting/automation skills in PowerShell and/or Python, including REST API integration with CLM and CA platforms.
• Hands-on experience with certificate provisioning to load balancers (F5 BIG-IP), CDNs (Akamai), web servers (IIS, Apache/Nginx), and cloud platforms (AWS ACM, Azure Key Vault).
• Solid understanding of TLS/SSL protocols, cipher suites, key exchange mechanisms, and certificate revocation (CRL/OCSP).
• Familiarity with ServiceNow, Jira, or equivalent ITSM/project tracking tools in a regulated enterprise environment.

• Experience with DigiCert ONE, DigiCert CertCentral, or equivalent public CA management platforms.
• Familiarity with Microsoft Active Directory Certificate Services (ADCS/MSCA) and Group Policy-based auto-enrollment.
• Exposure to post-quantum cryptography standards (ML-KEM, ML-DSA) and crypto-agility planning.
• Experience operating in dual-domain or multi-business-unit enterprise environments with segmented policy and access controls.
• CISSP or vendor-specific PKI certifications (e.g., Venafi Certified Professional).
• Experience with healthcare or financial services compliance frameworks (HIPAA, PCI-DSS, SOX).
• Familiarity with F5, HashiCorp Vault, Akeyless, or similar secrets management platforms for certificate and key storage.
• CLM Platforms Venafi TPP , AppViewX ,KeyFactor
• Certificate Authorities DigiCert ONE, Internal Private CAs
• Automation PowerShell, Python, REST APIs, Venafi WebSDK
• Infrastructures F5 BIG-IP, Akamai, IIS, Apache, Nginx
• Cloud AWS ,Azure (Key Vault)
• ITSM / Project ServiceNow

Education: 

• Bachelor’s degree or equivalent experience (Highschool diploma plus 4 years relevant work experience)

Anticipated Weekly Hours

40

Time Type

Full time

Pay Range

The typical pay range for this role is:

$92,700.00 - $185,400.00

This pay range represents the base hourly rate or base annual full-time salary for all positions in the job grade within which this position falls.  The actual base salary offer will depend on a variety of factors including experience, education, geography and other relevant factors.  This position is eligible for a CVS Health bonus, commission or short-term incentive program in addition to the base pay range listed above. 
 

Our people fuel our future. Our teams reflect the customers, patients, members and communities we serve and we are committed to fostering a workplace where every colleague feels valued and that they belong.

Great benefits for great people

We take pride in offering a comprehensive and competitive mix of pay and benefits that reflects our commitment to our colleagues and their families.

This full‑time position is eligible for a comprehensive benefits package designed to support the physical, emotional, and financial well‑being of colleagues and their families. The benefits for this position include medical, dental, and vision coverage, paid time off, retirement savings options, wellness programs, and other resources, based on eligibility.

Additional details about available benefits are provided during the application process and on Benefits Moments.

We anticipate the application window for this opening will close on: 08/02/2026

Qualified applicants with arrest or conviction records will be considered for employment in accordance with all federal, state and local laws.