Senior Security Engineer, PKI & Secrets

As a Senior Security Engineer on the PKI & Secrets team, you will shape how CoreWeave manages cryptographic infrastructure across its global fleet. You'll design and operate PKI hierarchies, secrets management platforms, HSM infrastructure, and key management systems; working hands-on with engineering teams to integrate these capabilities into their services and workflows.

Key responsibilities include:

• Contributing to the design, implementation, and operation of CoreWeave's PKI infrastructure, including CA hierarchies, issuance policies, certificate lifecycle management, and trust distribution across Kubernetes clusters and bare-metal hosts.

• Managing and evolving secrets management platforms, including access policies, secret lifecycle governance, and integration patterns using External Secrets Operator and cert-manager.

• Operating and scaling HSM infrastructure, including PKCS#11 integration, key ceremony procedures, and high-availability designs backing our certificate authorities and signing services.

• Contributing to the design of key management and data encryption solutions for internal and customer-facing use cases, including envelope encryption and KMS API design.

• Delivering PKI-based solutions supporting workload identity, mutual TLS, and hardware attestation.

• Maintaining and extending code signing infrastructure for firmware images, UEFI binaries, container images, and application binaries.

• Developing and enforcing cryptographic best practices and policies, and contributing to post-quantum cryptography readiness.

Requirements include:

• 5+ years of experience in security engineering or infrastructure engineering.

• Strong understanding of PKI concepts including CA hierarchies, certificate profiles, issuance policies, revocation, and trust distribution.

• Hands-on experience operating HashiCorp Vault or similar secrets management platforms in production.

• Experience with hardware security modules (HSMs), PKCS#11 interfaces, and key ceremony procedures.

• Solid understanding of applied cryptography: symmetric and asymmetric algorithms, digital signatures, envelope encryption, and TLS.

• Proficiency in Go, Python, or similar languages, with the ability to build production tooling and automation.

• Experience with Kubernetes, including cert-manager, trust-manager, or External Secrets Operator.

• Demonstrated ability to drive cross-functional initiatives across infrastructure, platform, and product teams.

Preferred qualifications include experience operating PKI backed by HSMs in a cloud provider or hyperscaler environment, familiarity with code signing workflows, and understanding of hardware attestation and workload identity.