โœฆ CISSP Certified 6+ Years PKI Engineering ๐Ÿ“ Brussels, Belgium

Your certificates.
Secured. Automated.
Compliant by design.

Brussels-based PKI boutique helping banks, financial institutions, and smart-city operators design, deploy, and automate enterprise PKI โ€” fully aligned with DORA, NIS2, and eIDAS 2.0.

Book a Free Discovery Call โ†’ Explore Services
Available for engagements ยท Q2 2026
6+
Years PKI engineering
100%
Senior-only delivery
โ‚ฌ18k
Fixed-price assessments
0
Juniors on your project
Why this matters now

Regulators stopped looking away.

PKI is invisible โ€” until it isn't. Expired certificates take down production. Misconfigured CAs fail audits. Four forces are converging.

DORA

Operational resilience, now enforceable

Cryptographic controls are an explicit pillar of DORA. Register, audit, remediate โ€” on schedule.

NIS2

Expanded scope, personal liability

Boards can be personally liable. PKI hygiene is no longer an IT back-office concern.

eIDAS 2.0

QWACs, QSealCs, and wallets

New qualified trust services require conformance against ETSI EN 319-series norms.

Post-Quantum

A two-decade migration has begun

Crypto-agility is the new hygiene. Inventory, prioritise, and pilot ML-KEM / ML-DSA early.

Services

Six engagement types. Senior-only delivery.

Scoped, fixed-price where we can โ€” time & materials where scope genuinely moves. No junior account manager between you and the work.

PKI Architecture & Design

End-to-end design of a production-grade PKI hierarchy: trust anchor, CA policies, HSM integration, CP/CPS drafting.

โ†’ Architecture doc, HSM sizing, CP/CPS draft

DORA Gap Assessment

Structured review of cryptographic controls against DORA ICT risk requirements. Register, map, remediate.

โ†’ Gap register + remediation roadmap

EJBCA / ADCS Deployment

Hands-on installation and hardening โ€” Enterprise Java Beans CA, Microsoft ADCS, HashiCorp Vault.

โ†’ Running, hardened, documented PKI

Certificate Lifecycle Automation

ACME, EST, SCEP, cert-manager, Venafi integration. No more expired certs taking down production.

โ†’ Automated issuance + renewal pipeline

PKI Incident Response

Private-key compromise, CA migration, revocation storms โ€” 24h senior on-call during the bleed.

โ†’ Contained incident + post-mortem

Technical Training

On-site or remote workshops for your engineering, ops, and compliance teams. No slides โ€” live labs.

โ†’ Certified, confident PKI operators
IZ
Ismail Zemouri, CISSP
About

Senior expertise. Zero juniors. No fluff.

MYKEYPAIR is led by Ismail Zemouri, CISSP โ€” 6+ years of hands-on PKI engineering across EU banks, financial market infrastructure, and critical utilities. Previous engagements with leading EU banks, a major central bank, critical infrastructure operators, and a global automotive group.

Vendor-agnostic. EJBCA, Microsoft ADCS, HashiCorp Vault, enterprise HSMs, AWS CloudHSM โ€” the tool follows the architecture, not the other way around.

CISSP ETSI EN 319 EJBCA PKI CA HSM integration
Pricing

Three ways to work with us.

All prices exclude 21% VAT. EU reverse charge applies for B2B outside Belgium.

Discovery
Free ยท 30 min

Scoping call. Senior-to-senior. No sales deck.

  • Your PKI estate, reviewed
  • Regulatory exposure
  • Proposal within 48 h
Book call โ†’
Most popular
Fixed Engagement
โ‚ฌ18,000 ยท from

Architecture, gap assessment, or deployment โ€” scoped, fixed.

  • Scoped SOW
  • Defined deliverable
  • CISSP-led, senior-only
  • Written report + handover
Request a proposal โ†’
Retainer
โ‚ฌ12,500 / month

Senior PKI on-call for your team. Cap 10 days/month.

  • Named senior engineer
  • 10 day/month cap
  • 24 h response SLA
  • Quarterly review
Discuss retainer โ†’
Ready to start?

Let's talk about your PKI estate.

30-minute discovery call โ€” senior-to-senior. No sales deck, no demos, no junior account manager.