Sr./Lead Software Engineer (Enterprise PKI)

TL;DR

Sr./Lead Software Engineer (Enterprise PKI): Contribute to design, implementation, and automation of EJBCA-based PKI infrastructure with an accent on certificate lifecycle management, secure key handling, and integration protocols. Focus on developing automation for provisioning, renewal, revocation, and supporting enterprise authentication across cloud and internal systems.

Location: Onsite in San Francisco, CA; New York, NY; or Bellevue, WA

Company

Enterprise Security Technology team builds scalable, fault-tolerant distributed systems for cloud-scale security across public clouds and internal infrastructure, focusing on Identity & Access and PKI.

What you will do

• Design, implement, deploy, and enhance EJBCA-based PKI infrastructure including CA hierarchies, RA functions, OCSP responders, and CRL distribution.
• Define technical roadmap for certificate lifecycle automation, secure key management, and high-assurance identity use cases.
• Develop and maintain automation for provisioning, renewal, revocation, monitoring, and audit logging of certificates.
• Support stakeholders with enrollment workflows (SCEP, EST, ACME, CMP) and integrate certificate-based authentication into platforms and workloads.
• Collaborate with security, infrastructure, and application teams to align PKI with policies and compliance.
• Participate in incident response, troubleshooting, documentation, and operational standards for PKI.

Requirements

• 5+ years hands-on experience in PKI systems including EJBCA or similar CA/RA platforms
• 8+ years experience with scripting/programming (Python, Golang, Java)
• Strong understanding of X.509 certificates, CRLs, OCSP, certificate templates, trust chains, and key usage extensions.
• Experience with enrollment protocols (SCEP, EST, ACME, CMP).
• Familiarity with certificate lifecycle automation, HSM integration, key escrow, secure enclaves, and PKI use cases (TLS/mTLS, device identity, etc.).
• Proficiency with Linux, Git, AWS, DevOps practices, CI/CD, monitoring; Bachelor’s in CS, Engineering, Cybersecurity or equivalent.

Nice to have

• Experience with TPM, HSM, secure enclaves, PKI in Kubernetes/Istio/SPIRE/cert-manager.
• Exposure to device attestation, platform security, Secure Boot, security frameworks (NIST, ISO, SOC 2), OWASP/CWE, MFA, Zero Trust, secrets management.

Culture & Benefits

• Collaborative environment with security architects, infrastructure, and application teams.
• Focus on scalable services integrating IT network, public cloud, and data centers.
• Empower engineers to operate secure environments.
• Consideration for qualified applicants with arrest/conviction records in SF/LA per local ordinances.