Senior Software Engineer, Enterprise PKI

## Description

About the team

The Enterprise Security Technology team builds and operates highly scalable, fault-tolerant, distributed systems to deliver cloud-scale security software across multiple public cloud platforms and Salesforce’s internal infrastructure.

Our key investments are in the area of Identity & Access and Public Key Infrastructure where we design and implement consistent and scalable services for Salesforce Enterprise, integrating our IT network, public cloud infrastructure and our own data centers, and empowering all our engineers to operate these environments in a secure manner.

About the position

We are seeking a Senior Software Engineer with hands-on experience in Enterprise grade Public Key Infrastructure (PKI) technologies. In this role, you will contribute to the design/architecture, development, automation, and support of PKI and certificate lifecycle management capabilities across the enterprise environment. The role involves strong collaboration with security, infrastructure, and application teams to ensure secure authentication, encryption, and digital trust within our systems.

Responsibilities:

• Contribute to the Design, implementation, development, deployment, configuration, and enhancement of EJBCA-based PKI infrastructure, including CA hierarchies, RA functions, OCSP responders, and CRL distribution.
• Define the technical roadmap for certificate lifecycle automation, secure key management, and high-assurance identity use cases.
• Develop and maintain certificate lifecycle automation, including provisioning, renewal, revocation, monitoring, and audit logging.
• Support internal stakeholders with certificate enrollment workflows (SCEP, EST, ACME, CMP) and usage patterns.
• Help integrate certificate-based authentication into enterprise platforms, services, and workloads.
• Support certificate lifecycle management processes for internal clients, applications, and devices.
• Collaborate with security architects, infrastructure, and application teams to align PKI solutions with organizational policies and compliance requirements.
• Participate in incident response and troubleshooting for PKI-related issues such as certificate validation failures or service outages.
• Develop & contribute to documentation, operational runbooks, and standards for PKI operations.

Required Skills/Experience:

• 5+ years of hands-on experience in PKI systems, including EJBCA or similar CA/RA platforms.
• 8+ years of experience with scripting or programming languages (e.g., Python, Golang, Java)
• Strong understanding of X.509 certificates, CRLs, OCSP, certificate templates, trust chains and key usage extensions.
• Experience with enrollment protocols such as SCEP, EST, ACME, or CMP.
• Familiarity with certificate lifecycle automation, workflows or CLM platforms and APIs
• Familiarity with HSM integration, key escrow, and secure enclaves.
• Understanding of PKI use cases for TLS/mTLS, device identity, Wi-Fi/EAP, VPN, code signing, workload identity, etc.
• Proficiency with Linux environments and version control systems (e.g., Git).
• Familiarity with cloud environments (AWS) and how PKI integrates with cloud services.
• Solid understanding of DevOps practices, CI/CD, monitoring, and ownership of production systems.
• Bachelor’s degree in Computer Science, Engineering, Cybersecurity, or equivalent experience.

Desired Skills:

• Experience with hardware-backed security mechanisms such as TPM, HSM, or secure enclaves.
• Experience with PKI in Kubernetes or service mesh environments (e.g., Istio, SPIRE, cert-manager).
• Exposure to device attestation, platform security, or Secure Boot concepts.
• Familiarity with relevant security frameworks or compliance standards (e.g., NIST, ISO, SOC 2).
• Awareness of common security weaknesses (OWASP Top 10, CWE Top 25).
• General understanding of core security concepts such as MFA, Zero Trust, and secrets management.

For roles in San Francisco and Los Angeles: Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Salesforce will consider for employment qualified applicants with arrest and conviction records.