Dan Cvrcek [Tsvrcheck]

Dan Cvrcek [Tsvrcheck]

I am a left-handed contrarian living by JFDI. I delivered secret and certificate services, DNS automation and WAF protection for Barclays, Sky UK, TSB Bank, Deutsche Bank, or Comcast. With a professorship from Czech Republic and Cambridge University post-doctoral research, I combine startup agility with enterprise experience to transform clients’ operations. I am always interested in talking with people who want to change things.

6 minute read

PKI Hiring Challenge Stop fishing in a tiny talent pool for PKI specialists. Build the platform first, then hire from the vast pool of infrastructure engineers who can actually solve your problem.

You’re about to post a job req for a PKI Engineer. The talent pool is tiny and most candidates can’t solve your real problem.

I’ve spent years inside enterprises sorting out certificate and key management. Barclays, Deutsche Bank, TSB Bank, and so on. There is a repeating pattern: certificate pain grows, leadership decides to hire someone. The job req goes out for a “PKI Engineer, 5+ years experience.”

Six months later - if you’re lucky - someone joins. Within weeks, they’re drowning. Within months, they’re either burned out or interviewing elsewhere.

The problem isn’t the hire. It’s the sequence.

The Talent Pool Reality

Search for “PKI Engineer” and you’ll mostly find Microsoft CA administrators. That’s what the market is. People who’ve managed certificate templates in Active Directory. People who know the MMC console. People who’ve worked in Windows-centric environments where PKI mostly takes care of itself.

That’s not where your problem is.

Microsoft CA works fine inside a Windows estate. Auto-enrollment, certificate templates, AD integration—it’s a solved problem. There’s almost nothing to automate there. It just runs.

Your problem is everything outside Windows (and outside other managed platforms). And your biggest problem is to enforce your control and policies across all your IT environments: Kubernetes, AWS, Azure, GCP, Linux servers, Ansible automation, …

The problem is scale and custom architecture patterns that try to bend platforms to do something they have not been designed for. AWS is great for infrastructure TLS, if you want certificates in your workloads, you are in trouble. Applications that need to terminate TLS across a dozen different platforms - you are back to manual certificate renewals.

Microsoft CA skills don’t transfer to anything here. I’ve watched it tried. It doesn’t work.

The Problem That Sneaks Up On You

Most homogeneous environments handle certificates fine on their own.

AWS? ACM just works. Kubernetes? Cert-manager just works. Microsoft CA inside Windows? Just works.

Nobody needs a “PKI Engineer” when infrastructure handles itself. You don’t think about certificates. You don’t have a problem.

Then something changes.

Applications need to terminate TLS. You’re not just issuing certificates anymore—you’re delivering them to systems that can’t fetch their own. It starts with your architects and ad-hoc strategic decisions (e.g., we do not trust public clouds that much, we need to have certificates in Springboot apps). Suddenly, your ops teams are coordinating across platforms they don’t understand. Platforms that don’t talk to each other.

At low volume, you cope. Someone tracks expirations in a spreadsheet. Someone handles renewals when tickets come in. Ugly, but it works.

Then volume grows. Suddenly you’ve got thousands of certificates across a dozen platforms, and the spreadsheet has become a full-time job nobody wants.

The Regression Trap

Here’s a pattern I’ve seen repeatedly: smart teams, good intentions, same outcome.

Someone builds automation. Scripts. Pipelines. Something that works, mostly. Renewals happen, things improve.

Then an incident. A certificate expires that wasn’t in the system. Then another.

Manager panics. “Put it in a spreadsheet. I need to see what’s happening.”

Eighteen months of progress—gone.

The automation wasn’t visible enough to be trusted. Management couldn’t see it, so management couldn’t trust it. The spreadsheet they can understand.

Now you’re back to manual - with twice the volume and the same headcount.

The Arithmetic That Doesn’t Work

“PKI Engineer, 5+ years experience.”

How many people in the UK fit that spec? Maybe 500. Probably fewer. US is not much better, the pool of talent is much smaller than the number of companies fishing.

Half are comfortable where they are. A quarter aren’t as good as their CV suggests. You’re competing with every bank and enterprise for the remaining handful.

Six-month hiring cycles. Premium salaries. Recruiters shrugging.

And what do you actually get? Someone who knows Microsoft CA. Someone who’s survived manual processes—not automated them. Someone who knows vendor GUIs, not infrastructure-as-code.

You’re hiring for narrow experience in the part that doesn’t need help, while your actual problem grows.

What Happens When You Hire Into Chaos

Let’s say you find someone. Good engineer. Solid CV. Joins the team.

Week one: discovery. Spreadsheets everywhere. Tribal knowledge. Partial automation nobody trusts. A manager who wants everything visible so they can “understand the exposure.”

Week two: firefighting begins. Expiration alerts. Renewal tickets. Teams who ignore warnings until production breaks.

Week three: the realisation. Eighty percent of this job is admin. Twenty percent is trying to build something better, but there’s no time, no authority, and no air cover.

They want to automate, but the manager wants the spreadsheet. They want to build a platform, but they’re drowning in symptoms.

Month six: burned out or interviewing elsewhere.

You’re back to the job req.

The Flip

What if you reversed the sequence?

Instead of hiring someone to survive the chaos, build the system that eliminates it. Then hire someone to run the system.

Not scripts that live in one engineer’s head. A platform.

Visibility: What certificates exist? Where? Who owns them? When do they expire? One source of truth. Accurate. Trusted.

Automation: Renewals happen without humans. Standard process. No tickets. No chasing.

Reporting: Management gets a dashboard they can understand. When they ask “what’s our certificate risk?”—you show them. Real-time. No scrambling.

Now when incidents happen, the platform is the answer. Not the problem. Not the thing that gets blamed and rolled back.

The Talent Pool Explodes

With a platform in place, you’re not hiring a “PKI Engineer” anymore.

You’re hiring an infrastructure engineer to operate and improve an existing system. That’s a completely different job. And a completely different talent pool.

Platform engineers. Thousands available, real smart. Automation-native. Multi-cloud fluent. They see their job as having fun building something “cool”.

SREs. Reliability mindset. Monitoring. Incident response. Systems thinking.

DevOps engineers. CI/CD. Infrastructure-as-code. Pipeline thinking.

None of them have “PKI experience.” None of them need it. Because the title “PKI engineer” does not really mean much in today’s world. What is real hard on automation? You guessed it - connecting all the servers, microservices, workloads, computes to your automation. It is not “PKI work” it is pure engineering.

Certificate concepts are learnable in weeks. Trust hierarchies. Validity periods. Chain of trust. It’s not complicated.

What these engineers bring is harder to teach: automation instinct, systems thinking, the reflex to build platforms instead of processes.

Bigger talent pool. Smarter candidates. Faster hiring. Lower cost.

What You Actually Need

With modern automation, you don’t need PKI specialists. You need two things:

Infrastructure engineers who think in APIs, not GUIs. Who can operate a platform across cloud, on-prem, and everything in between. They exist in abundance. They’re not searching for “PKI Engineer” roles.

Strategic leaders who can use infrastructure intelligence to plan beyond the current financial year. Who see certificates not as operational overhead but as data—a lens into how your systems actually connect.

Both exist. Neither is looking at your job req.

The Architecture Determines Everything

A manual process can only be run by people who’ve survived manual processes. That’s a narrow, exhausted, expensive talent pool—and they’ll recreate what they know.

An automated platform can be run by anyone who understands infrastructure. That’s a broad, available, energised talent pool—and they’ll improve what they inherit.

Your hiring problem is an automation problem in disguise.

The Sequence Matters

Don’t hire someone to build the automation while they’re also managing the spreadsheet. They’ll drown. The urgent will always beat the important.

Don’t automate without management visibility. After the first incident, trust evaporates. The spreadsheet will return.

Build the platform first. Make it visible. Make it trusted.

Then hire someone to run it—from a talent pool fifty times larger than the one you’re fishing in now.

Automate first. Then hire.

If you’re about to post that PKI Engineer role, maybe we should talk first. Fifteen minutes might save you a lot of headaches. [email protected]

You May Also Enjoy