Stellenbeschreibung For our client we are looking for a PKI / Secrets Management QA Engineer (f/m/d). Start: 20.10.2025 Duration: 3 months, wish for a long-term prolongation Capacity: 80-100% Location: 75% Remote, 25% Berlin (1 week Berlin / 3 weeks remote in rotation), up to 50% onsite in peak times Language: English is a must, German is a plus Budget: 80,00 EUR net Role: The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment. Objectives: - Core Vault Knowledge • Vault concepts: Validate vault activities namely init/unseal, tokens, leases, policies, secrets engines. • Test Vault fundamentals: init/unseal, tokens, policies, secrets engines. • Validate secrets lifecycle, PKI workflows, RA policies, and revocation. • Automate tests using CLI, REST API, SDKs (Python, Go, Java) in CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI). • Test the certificate issuance, expiry, revocation, and renewal workflows. - Testing & Validation: • Give recommendations and write test cases for: o Secrets lifecycle (creation, lease renewal, revocation). o PKI workflows (CSR submission, certificate issuance, CRL checks, revocation). o Authentication methods (AppRole, LDAP, Kubernetes, OIDC). o Validating access policies (ACLs) — ensuring least privilege is enforced. • Regression testing for Vault upgrades and policy changes. • Fault injection testing: unseal/reseal, token expiration, expired certificates - Automation & Scripting • Creation of automated test scripts by using of Vault CLI, REST API, and SDKs (Python, Go, or Java). • Integration of Vault test cases into CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins). • Scripting - Python, Bash, PowerShell for automating secrets/PKI validation tests - PKI-Specific Testing • Validating of certificate chains, trust anchors, and expiry alerts. • Testing automated certificate issuance and renewal flows (short-lived certs). • Simulation of edge cases: revoked certs, expired intermediates, misconfigured chains. • Use tools like OpenSSL, certutil, or Wireshark to debug TLS/PKI issues - Integration Testing • Performing integration testing of the following categories o Kubernetes sidecars and Vault Agent templates. o Dynamic DB credentials. o TLS cert rotation in load balancers, web servers, and APIs. o Keycloak federation (OIDC/SAML) flows. • Conducting browser-based tests using Playwright or Selenium for IAM/SSO validation - Security & Compliance Validation • Performing of reviews of hardcoded secrets, audit logging, RBAC/MFA enforcement, FIPS/PCI-DSS alignment • Verifying of audit logs (Vault audit devices, syslog) capture critical events. • Testing RBAC enforcement and MFA requirements in auth flows. • Performing compliance reviews with standards (FIPS 140-2/3 for crypto, PCI-DSS secret handling requirements) - Monitoring & Troubleshooting • Validation of deployments are to ensure reliability, security and compliance by covering both functional testing (PKI/Secrets) and integration testing (IAM federation, CI/CD pipelines, HA/DR). • Monitoring Vault telemetry, logs, and SIEM outputs; debug failures across Vault/PKI/Keycloak. • Ensure HA/DR failover testing is automated and repeatable. • Add coverage for multi-tenant and RA delegation scenarios. Skills (must-have): - Experience with testing Vault fundamentals and PKI workflows. - Expertise with test automation frameworks for services, APIs, IAM. - Strong experience with scripting and automation: Python, Go, Bash, PowerShell. - Expertise with PKI/SSL debug tools: OpenSSL, certutil, Wireshark. - Strongly skilled with CI/CD integration: Jenkins, GitHub Actions, GitLab CI. - Experience with Secrets and compliance testing: audit logs, RBAC/MFA, standards validation. - Experienced with browser-based automation: Playwright or Selenium. - Experienced as a quality gate for PKI, Vault, and IAM services. - Good knowledge of how Vault integrates with apps (via API the Vault Agent and sidecar injector) Skills (should-have): - Experience with cloud services and their configuration - Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends and performance testing - Fluent in German - Familiarity with HA/DR scenarios in PKI/Secrets/IAM. - Working with Scrum and general experience in agile frameworks