Job description:
For our client we are looking for a PKI / Secrets Management QA Engineer (f/m/d).
Start: 20.10.2025
Duration: 3 months,
- wish for a long-term prolongation
Capacity: 80-100%
Location: 75% Remote, 25% Berlin (1 week Berlin / 3 weeks remote in rotation), up to 50% onsite in peak times
Language: English is a must, German is a plus
Budget: 80,00 EUR net
Role:
The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment.
Objectives:
- Core Vault Knowledge
- Vault concepts: Validate vault activities namely init/unseal, tokens, leases, policies, secrets engines.
- Test Vault fundamentals: init/unseal, tokens, policies, secrets engines.
- Validate secrets lifecycle, PKI workflows, RA policies, and revocation.
- Automate tests using CLI, REST API, SDKs (Python, Go, Java) in CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI).
- Test the certificate issuance, expiry, revocation, and renewal workflows.
- Testing & Validation:
- Give recommendations and write test cases for:
- Secrets lifecycle (creation, lease renewal, revocation).
- PKI workflows (CSR submission, certificate issuance, CRL checks, revocation).
- Authentication methods (AppRole, LDAP, Kubernetes, OIDC).
- Validating access policies (ACLs) — ensuring least privilege is enforced.
- Regression testing for Vault upgrades and policy changes.
- Fault injection testing: unseal/reseal, token expiration, expired certificates
- Automation & Scripting
- Creation of automated test scripts by using of Vault CLI, REST API, and SDKs (Python, Go, or Java).
- Integration of Vault test cases into CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins).
- Scripting
- Python, Bash, PowerShell for automating secrets/PKI validation tests
- PKI-Specific Testing
- Validating of certificate chains, trust anchors, and expiry alerts.
- Testing automated certificate issuance and renewal flows (short-lived certs).
- Simulation of edge cases: revoked certs, expired intermediates, misconfigured chains.
- Use tools like OpenSSL, certutil, or Wireshark to debug TLS/PKI issues
- Integration Testing
- Performing integration testing of the following categories
- Kubernetes sidecars and Vault Agent templates.
- Dynamic DB credentials.
- TLS cert rotation in load balancers, web servers, and APIs.
- Keycloak federation (OIDC/SAML) flows.
- Conducting browser-based tests using Playwright or Selenium for IAM/SSO validation
- Security & Compliance Validation
- Performing of reviews of hardcoded secrets, audit logging, RBAC/MFA enforcement, FIPS/PCI-DSS alignment
- Verifying of audit logs (Vault audit devices, syslog) capture critical events.
- Testing RBAC enforcement and MFA requirements in auth flows.
- Performing compliance reviews with standards (FIPS 140-2/3 for crypto, PCI-DSS secret handling requirements)
- Monitoring & Troubleshooting
- Validation of deployments are to ensure reliability, security and compliance by covering both functional testing
(PKI/Secrets) and integration testing (IAM federation, CI/CD pipelines, HA/DR).
- Monitoring Vault telemetry, logs, and SIEM outputs; debug failures across Vault/PKI/Keycloak.
- Ensure HA/DR failover testing is automated and repeatable.
- Add coverage for multi-tenant and RA delegation scenarios.
Skills (must-have):
- Experience with testing Vault fundamentals and PKI workflows.
- Expertise with test automation frameworks for services, APIs, IAM.
- Strong experience with scripting and automation: Python, Go, Bash, PowerShell.
- Expertise with PKI/SSL debug tools: OpenSSL, certutil, Wireshark.
- Strongly skilled with CI/CD integration: Jenkins, GitHub Actions, GitLab CI.
- Experience with Secrets and compliance testing: audit logs, RBAC/MFA, standards validation.
- Experienced with browser-based automation: Playwright or Selenium.
- Experienced as a quality gate for PKI, Vault, and IAM services.
- Good knowledge of how Vault integrates with apps (via API the Vault Agent and sidecar injector)
Skills (should-have):
- Experience with cloud services and their configuration
- Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends and performance testing
- Fluent in German
- Familiarity with HA/DR scenarios in PKI/Secrets/IAM.
- Working with Scrum and general experience in agile frameworks