What you'd actually do

Contribute to the Design, implementation, development, deployment, configuration, and enhancement of EJBCA-based PKI infrastructure, including CA hierarchies, RA functions, OCSP responders, and CRL distribution.

Define the technical roadmap for certificate lifecycle automation, secure key management, and high-assurance identity use cases.

Develop and maintain certificate lifecycle automation, including provisioning, renewal, revocation, monitoring, and audit logging.

Support internal stakeholders with certificate enrollment workflows (SCEP, EST, ACME, CMP) and usage patterns.

Help integrate certificate-based authentication into enterprise platforms, services, and workloads.

Skills

Required

5+ years of hands-on experience in PKI systems, including EJBCA or similar CA/RA platforms.
8+ years of experience with scripting or programming languages (e.g., Python, Golang, Java)
Strong understanding of X.509 certificates, CRLs, OCSP, certificate templates, trust chains and key usage extensions.
Experience with enrollment protocols such as SCEP, EST, ACME, or CMP.
Familiarity with certificate lifecycle automation, workflows or CLM platforms and APIs
Familiarity with HSM integration, key escrow, and secure enclaves.
Understanding of PKI use cases for TLS/mTLS, device identity, Wi-Fi/EAP, VPN, code signing, workload identity, etc.
Proficiency with Linux environments and version control systems (e.g., Git).
Familiarity with cloud environments (AWS) and how PKI integrates with cloud services.
Solid understanding of DevOps practices, CI/CD, monitoring, and ownership of production systems.
A demonstrated, genuine AI-first approach to engineering. Using AI to move faster, build fluency across the stack, and contribute well beyond your core specialty.
Experience using AI tools (e.g., Claude Code, GitHub Copilot, Codex, Cursor, etc.) in development workflows
Advanced prompt engineering skills and the ability to write precise, structured prompts and cultivate the system context that makes AI outputs reliable, secure, and production-ready.
Bachelor’s degree in Computer Science, Engineering, Cybersecurity, or equivalent experience.

Nice to have

Experience with hardware-backed security mechanisms such as TPM, HSM, or secure enclaves.
Experience with PKI in Kubernetes or service mesh environments (e.g., Istio, SPIRE, cert-manager).
Exposure to device attestation, platform security, or Secure Boot concepts.
Familiarity with relevant security frameworks or compliance standards (e.g., NIST, ISO, SOC 2).
Awareness of common security weaknesses (OWASP Top 10, CWE Top 25).
General understanding of core security concepts such as

To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.

Job Category

Software Engineering

Job Details

About Salesforce

Salesforce is the #1 AI CRM, where humans with agents drive customer success together. Here, ambition meets action. Tech meets trust. And innovation isn’t a buzzword — it’s a way of life. The world of work as we know it is changing and we're looking for Trailblazers who are passionate about bettering business and the world through AI, driving innovation, and keeping Salesforce's core values at the heart of it all.

Ready to level-up your career at the company leading workforce transformation in the agentic era? You’re in the right place! Agentforce is the future of AI, and you are the future of Salesforce.

Overview of the Role:

The Enterprise Security Technology team builds and operates highly scalable, fault-tolerant, distributed systems to deliver cloud-scale security software across multiple public cloud platforms and Salesforce's internal infrastructure. Our key investments are in Identity & Access and Public Key Infrastructure (PKI), where we design and implement consistent, scalable services that empower engineers to operate securely across our IT network, cloud infrastructure, and data centers.

We are seeking a Senior or Lead Software Engineer with hands-on experience in enterprise-grade PKI technologies to contribute to the design, development, automation, and support of certificate lifecycle management capabilities across our environment. This role is based in New York, NY; Bellevue, WA; or San Francisco, CA.

Responsibilities:

Design, implement, and operate our PKI infrastructure, including Certificate Authority (CA) hierarchies, Registration Authority (RA) functions, Online Certificate Status Protocol (OCSP) responders, Certificate Revocation List (CRL) distribution, and certificate lifecycle automation (provisioning, renewal, revocation, monitoring, and audit logging) using Enrollment over Secure Transport (EST), Simple Certificate Enrollment Protocol (SCEP), Automated Certificate Management Environment (ACME), and Certificate Management Protocol (CMP) workflows.
Define and drive the technical roadmap for certificate lifecycle automation, secure key management, and high-assurance identity use cases, collaborating with security architects and infrastructure and application teams to align PKI solutions with organizational policies and compliance requirements.
Build and ship high-quality, production-grade software using modern engineering practices, with AI as a core part of your workflow — pushing the boundaries of AI development tools to deliver secure, optimized code and designing systems where AI agents integrate seamlessly into human workflows.
Contribute to documentation, operational runbooks, incident response, and troubleshooting for PKI-related issues, while maintaining a shared system context that enables AI to operate accurately and reliably.

Required Qualifications:

5+ years of hands-on experience with PKI systems including EJBCA or similar CA/RA platforms, with strong understanding of X.509 certificates, CRLs, OCSP, trust chains, key usage extensions, and enrollment protocols (SCEP, EST, ACME, CMP).
8+ years of experience with scripting or programming languages (e.g., Python, Golang, Java), proficiency in Linux environments and version control (e.g., Git), and solid understanding of DevOps practices, CI/CD, monitoring, and production system ownership.
Demonstrated AI-first approach to engineering, including hands-on use of AI tools (e.g., Claude Code, GitHub Copilot, Codex, Cursor) in development workflows, advanced prompt engineering skills, and the ability to cultivate system context that makes AI outputs reliable, secure, and production-ready.
Bachelor's degree in Computer Science, Engineering, or Cybersecurity.

Preferred Qualifications:

Experience with hardware-backed security mechanisms such as Trusted Platform Module (TPM), Hardware Security Module (HSM), or secure enclaves, and PKI in Kubernetes or service mesh environments (e.g., Istio, SPIRE, cert-manager).
Exposure to device attestation, platform security, or Secure Boot concepts.
Familiarity with relevant security frameworks or compliance standards (e.g., NIST, ISO, SOC 2) and common security weaknesses (OWASP Top 10, CWE Top 25).
General understanding of core security concepts such as Multi-Factor Authentication (MFA), Zero Trust, and secrets management.

Unleash Your Potential

When you join Salesforce, you’ll be limitless in all areas of your life. Our benefits and resources support you to find balance and be your best, and our AI agents accelerate your impact so you can do your best. Together, we’ll bring the power of Agentforce to organizations of all sizes and deliver amazing experiences that customers love. Apply today to not only shape the future — but to redefine what’s possible — for yourself, for AI, and the world.

Accommodations

If you need a reasonable accommodation during the application or the recruiting process, please submit a request via this Accommodations Request Form.

Please note that Salesforce uses artificial intelligence (AI) tools to help our recruiters assess and evaluate candidates’ resumes and qualifications throughout the recruiting process. Humans will always make any candidate selection and hiring decisions. Please see our Candidate Privacy Statement for more information about how we use your personal data and your rights, including with regard to use of AI tools and opt out options.

Posting Statement

Salesforce is an equal opportunity employer and maintains a policy of non-discrimination with all employees and applicants for employment. What does that mean exactly? It means that at Salesforce, we believe in equality for all. And we believe we can lead the path to equality in part by creating a workplace that’s inclusive, and free from discrimination. Know your rights: workplace discrimination is illegal. Any employee or potential employee will be assessed on the basis of merit, competence and qualifications – without regard to race, religion, color, national origin, sex, sexual orientation, gender expression or identity, transgender status, age, disability, veteran or marital status, political viewpoint, or other classifications protected by law. This policy applies to current and prospective employees, no matter where they are in their Salesforce employment journey. It also applies to recruiting, hiring, job assignment, compensation, promotion, benefits, training, assessment of job performance, discipline, termination, and everything in between. Recruiting, hiring, and promotion decisions at Salesforce are fair and based on merit. The same goes for compensation, benefits, promotions, transfers, reduction in workforce, recall, training, and education.

In the United States, compensation offered will be determined by factors such as location, job level, job-related knowledge, skills, and experience. Certain roles may be eligible for incentive compensation, equity, and benefits. Salesforce offers a variety of benefits to help you live well including: time off programs, medical, dental, vision, mental health support, paid parental leave, life and disability insurance, 401(k), and an employee stock purchasing program. More details about company benefits can be found at the following link: https://www.salesforcebenefits.com.Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Salesforce will consider for employment qualified applicants with arrest and conviction records.

At Salesforce, we believe in equitable compensation practices that reflect the dynamic nature of labor markets across various regions. The typical base salary range for this position is $148,500 - $260,100 annually. In select cities within the San Francisco and New York City metropolitan area, the base salary range for this role is $178,900 - $285,800 annually. The range represents base salary only, and does not include company bonus, incentive for sales roles, equity or benefits, as applicable.