Role Summary

The Security PKI Engineer will be responsible for engineering, operating, and continuously improving LSEG’s Public Key Infrastructure (PKI) and Certificate Lifecycle Management (CLM) capabilities. This role ensures trusted identity, authentication, and encryption services are reliable, scalable, and secure across enterprise and cloud environments. You will contribute to designs and production improvements that increase availability, performance, and operational efficiency, partnering closely with architects, security teams, infrastructure, and application owners to deliver measurable outcomes on agreed priorities and timelines.

Key Responsibilities

· Engineer, administer, and maintain PKI components including Root, Intermediate, and Issuing Certificate Authorities.

· Operating and supporting certificate validation and distribution services including CRLs, OCSP, AIA, and CDP.

· Executing end-to-end certificate lifecycle processes: request validation, issuance, renewal, revocation, and retirement.

· Ensuring essential PKI and CLM processes meet high-quality standards through strong operational controls, documentation, and repeatable runbooks.

· Maintaining certificate inventory hygiene and reduce operational risk by proactively addressing expirations and crypto compliance gaps.

· Driving project priorities, deadlines, and outcomes for PKI and CLM engineering deliverables.

· Applying deep knowledge of site reliability, software engineering, tooling, frameworks, infrastructure, and systems to deliver each task effectively.

· Contributing to designs of software components, systems, and features that improve availability, scalability, latency, and efficiency of LSEG services.

· Participating in sustainable incident response and production improvements, including root cause analysis and preventive remediation.

· Building automation to prevent problem recurrence and implementing automated responses for non-exceptional service conditions.

· Writing and reviewing optimized and accurate automation code and scripts to improve certificate operations and reliability.

· Providing feedback and suggested improvements through peer code reviews, focusing on quality, performance, and maintainability.

· Improving monitoring and alerting for certificate expiry, CA health, OCSP and CRL availability, and CLM workflow performance.

· Supporting integration of CLM workflows with enterprise tooling and APIs to reduce manual effort and improve governance.

· Partnering with architects to decompose solutions for technology systems and products, aligning PKI and CLM designs to platform standards.

· Acting as a point of contact within the PKI domain by demonstrating strong depth of knowledge and building awareness of adjacent domains to manage dependencies.

· Proactively building and applying relevant domain knowledge related to workflows, data pipelines, business policies, configurations, and constraints.

· Providing mentorship and advice to team members on improving availability and performance of critical services.

Qualifications

· Strong understanding of PKI and X.509, including certificate chains and validation.

· Bachelor’s degree in technology (Computer Science, Computer Engineering etc.)

· 5 Years of IT experience

· 2-3 years of experience in CyberSecurity or Identity & Access Management.

· Strong understanding of Certificate Authorities and supporting services, including Root, Intermediate, and Issuing CAs, CRLs, OCSP, AIA, and CDP.

· Strong understanding of Certificate Lifecycle Management (CLM) concepts and workflows.

· Knowledge of key generation and protection, including HSM concepts and key storage providers such as KSP and CSP.

· Hands-on experience with one or more PKI platforms such as Microsoft AD CS, Entrust, Keyfactor, Sectigo, DigiCert, or PrimeKey EJBCA.

· IAM and security infrastructure experience, including Active Directory, Conditional Access concepts, Kerberos and NTLM, and identity federation using SAML, OAuth, and OIDC.

· Networking fundamentals including TCP/IP, DNS, DHCP, firewall concepts, and TLS mutual authentication.

· Operating systems experience with Windows Server and Linux distributions such as Ubuntu and RHEL.

· Automation and scripting skills, with PowerShell as a primary skill and Bash or Python as additional skills.

· Experience working in one or more cloud platforms: Azure, AWS, or GCP.

· Demonstrated ability to manage priorities, deadlines, and outcomes while maintaining high quality standards.

· Experience operating security-critical services with an SRE mindset, including monitoring, alerting, incident response, and post-incident improvements.

· Experience integrating CLM and PKI services with enterprise workflows, APIs, and automation pipelines.

· Experience designing improvements that measurably enhance availability, scalability, latency, or operational efficiency.

Certifications (Nice to have)

· Security Certifications (SSCP, CompTIA Security+)

· Azure/AWS/GCP cloud security certifications

· PKI/CLM platform training and/or public CA program familiarity

Career Stage:

London Stock Exchange Group (LSEG) Information:

Join us and be part of a team that values innovation, quality, and continuous improvement. If you're ready to take your career to the next level and make a significant impact, we'd love to hear from you.

LSEG is a leading global financial markets infrastructure and data provider. Our purpose is driving financial stability, empowering economies and enabling customers to create sustainable growth.

Our purpose is the foundation on which our culture is built. Our values of Integrity, Partnership, Excellence and Change underpin our purpose and set the standard for everything we do, every day. They go to the heart of who we are and guide our decision making and everyday actions.

Working with us means that you will be part of a dynamic organisation of 25,000 people across 65 countries. However, we will value your individuality and enable you to bring your true self to work so you can help enrich our diverse workforce.

We are proud to be an equal opportunities employer. This means that we do not discriminate on the basis of anyone’s race, religion, colour, national origin, gender, sexual orientation, gender identity, gender expression, age, marital status, veteran status, pregnancy or disability, or any other basis protected under applicable law. Conforming with applicable law, we can reasonably accommodate applicants' and employees' religious practices and beliefs, as well as mental health or physical disability needs.

You will be part of a collaborative and creative culture where we encourage new ideas. We are committed to sustainability across our global business and we are proud to partner with our customers to help them meet their sustainability objectives. Our charity, the LSEG Foundation provides charitable grants to community groups that help people access economic opportunities and build a secure future with financial independence. Colleagues can get involved through fundraising and volunteering.

LSEG offers a range of tailored benefits and support, including healthcare, retirement planning, paid volunteering days and wellbeing initiatives.

Please take a moment to read this privacy notice carefully, as it describes what personal information London Stock Exchange Group (LSEG) (we) may hold about you, what it’s used for, and how it’s obtained, your rights and how to contact us as a data subject.

If you are submitting as a Recruitment Agency Partner, it is essential and your responsibility to ensure that candidates applying to LSEG are aware of this privacy notice.

Location: Bucharest - Iuliu Maniu Boulevard

Time Type: Full time