Overview of the Role:

The Enterprise Security Technology team builds and operates highly scalable, fault-tolerant, distributed systems to deliver cloud-scale security software across multiple public cloud platforms and Salesforce's internal infrastructure. Our key investments are in Identity & Access and Public Key Infrastructure (PKI), where we design and implement consistent, scalable services that empower engineers to operate securely across our IT network, cloud infrastructure, and data centers.

We are seeking a Senior or Lead Software Engineer with hands-on experience in enterprise-grade PKI technologies to contribute to the design, development, automation, and support of certificate lifecycle management capabilities across our environment. This role is based in New York, NY; Bellevue, WA; or San Francisco, CA.

Responsibilities:

• Design, implement, and operate our PKI infrastructure, including Certificate Authority (CA) hierarchies, Registration Authority (RA) functions, Online Certificate Status Protocol (OCSP) responders, Certificate Revocation List (CRL) distribution, and certificate lifecycle automation (provisioning, renewal, revocation, monitoring, and audit logging) using Enrollment over Secure Transport (EST), Simple Certificate Enrollment Protocol (SCEP), Automated Certificate Management Environment (ACME), and Certificate Management Protocol (CMP) workflows.
• Define and drive the technical roadmap for certificate lifecycle automation, secure key management, and high-assurance identity use cases, collaborating with security architects and infrastructure and application teams to align PKI solutions with organizational policies and compliance requirements.
• Build and ship high-quality, production-grade software using modern engineering practices, with AI as a core part of your workflow — pushing the boundaries of AI development tools to deliver secure, optimized code and designing systems where AI agents integrate seamlessly into human workflows.
• Contribute to documentation, operational runbooks, incident response, and troubleshooting for PKI-related issues, while maintaining a shared system context that enables AI to operate accurately and reliably.

Required Qualifications:

• 5+ years of hands-on experience with PKI systems including EJBCA or similar CA/RA platforms, with strong understanding of X.509 certificates, CRLs, OCSP, trust chains, key usage extensions, and enrollment protocols (SCEP, EST, ACME, CMP).
• 8+ years of experience with scripting or programming languages (e.g., Python, Golang, Java), proficiency in Linux environments and version control (e.g., Git), and solid understanding of DevOps practices, CI/CD, monitoring, and production system ownership.
• Demonstrated AI-first approach to engineering, including hands-on use of AI tools (e.g., Claude Code, GitHub Copilot, Codex, Cursor) in development workflows, advanced prompt engineering skills, and the ability to cultivate system context that makes AI outputs reliable, secure, and production-ready.
• Bachelor's degree in Computer Science, Engineering, or Cybersecurity.

Preferred Qualifications:

• Experience with hardware-backed security mechanisms such as Trusted Platform Module (TPM), Hardware Security Module (HSM), or secure enclaves, and PKI in Kubernetes or service mesh environments (e.g., Istio, SPIRE, cert-manager).
• Exposure to device attestation, platform security, or Secure Boot concepts.
• Familiarity with relevant security frameworks or compliance standards (e.g., NIST, ISO, SOC 2) and common security weaknesses (OWASP Top 10, CWE Top 25).
• General understanding of core security concepts such as Multi-Factor Authentication (MFA), Zero Trust, and secrets management.