diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b5c33b6a..527fd5945 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ FEATURES:
 * Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 
 * Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
 * Add support for new WIF fields in `vault_azure_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2250](https://github.com/hashicorp/terraform-provider-vault/pull/2250))
+* Add new data source and resource `vault_pki_secret_backend_config_est`. Requires Vault 1.16+. *Available only for Vault Enterprise* ([#2246](https://github.com/hashicorp/terraform-provider-vault/pull/2246))
 
 IMPROVEMENTS:
 * return a useful error when delete fails for the `vault_jwt_auth_backend_role` resource: ([#2232](https://github.com/hashicorp/terraform-provider-vault/pull/2232))
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
index 2fd4dc35f..c0ca12539 100644
--- a/internal/consts/consts.go
+++ b/internal/consts/consts.go
@@ -424,6 +424,14 @@ const (
 	FieldDelegatedAuthAccessors        = "delegated_auth_accessors"
 	FieldPluginVersion                 = "plugin_version"
 	FieldUseMSGraphAPI                 = "use_microsoft_graph_api"
+	FieldEnabled                       = "enabled"
+	FieldDefaultMount                  = "default_mount"
+	FieldDefaultPathPolicy             = "default_path_policy"
+	FieldLabelToPathPolicy             = "label_to_path_policy"
+	FieldAuthenticators                = "authenticators"
+	FieldEnableSentinelParsing         = "enable_sentinel_parsing"
+	FieldAuditFields                   = "audit_fields"
+	FieldLastUpdated                   = "last_updated"
 
 	/*
 		common environment variables
diff --git a/vault/data_source_pki_secret_backend_config_est.go b/vault/data_source_pki_secret_backend_config_est.go
new file mode 100644
index 000000000..96448aa06
--- /dev/null
+++ b/vault/data_source_pki_secret_backend_config_est.go
@@ -0,0 +1,165 @@
+package vault
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/vault/api"
+)
+
+func pkiSecretBackendConfigEstDataSource() *schema.Resource {
+	return &schema.Resource{
+		Description: "Reads Vault PKI EST configuration",
+		ReadContext: provider.ReadContextWrapper(readPKISecretBackendConfigEst),
+		Schema: map[string]*schema.Schema{
+			consts.FieldBackend: {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Path where PKI engine is mounted",
+			},
+			consts.FieldEnabled: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Specifies whether EST is enabled",
+			},
+			consts.FieldDefaultMount: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster",
+			},
+			consts.FieldDefaultPathPolicy: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>",
+			},
+			consts.FieldLabelToPathPolicy: {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: "A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths",
+			},
+			consts.FieldAuthenticators: {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Lists the mount accessors EST should delegate authentication requests towards",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cert": {
+							Type:        schema.TypeMap,
+							Optional:    true,
+							Description: "The accessor and cert_role properties for cert auth backends",
+						},
+						"userpass": {
+							Type:        schema.TypeMap,
+							Optional:    true,
+							Description: "The accessor property for user pass auth backends",
+						},
+					},
+				},
+			},
+			consts.FieldEnableSentinelParsing: {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If set, parse out fields from the provided CSR making them available for Sentinel policies",
+			},
+			consts.FieldAuditFields: {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			consts.FieldLastUpdated: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "A read-only timestamp representing the last time the configuration was updated",
+			},
+		},
+	}
+}
+
+func readPKISecretBackendConfigEst(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if err := verifyPkiEstFeatureSupported(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client, err := provider.GetClient(d, meta)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed getting client: %w", err))
+	}
+
+	backend := d.Get(consts.FieldBackend).(string)
+	path := pkiSecretBackendConfigEstPath(backend)
+
+	if err := readEstConfig(ctx, d, client, path); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func readEstConfig(ctx context.Context, d *schema.ResourceData, client *api.Client, path string) error {
+	resp, err := client.Logical().ReadWithContext(ctx, path)
+	if err != nil {
+		return fmt.Errorf("error reading from Vault: %w", err)
+	}
+	if resp == nil {
+		return fmt.Errorf("got nil response from Vault from path: %q", path)
+	}
+
+	d.SetId(path)
+
+	keyComputedFields := []string{
+		consts.FieldEnabled,
+		consts.FieldDefaultMount,
+		consts.FieldDefaultPathPolicy,
+		consts.FieldLabelToPathPolicy,
+		consts.FieldEnableSentinelParsing,
+		consts.FieldAuditFields,
+		consts.FieldLastUpdated,
+	}
+
+	for _, k := range keyComputedFields {
+		if fieldVal, ok := resp.Data[k]; ok {
+			if err := d.Set(k, fieldVal); err != nil {
+				return fmt.Errorf("failed setting field [%s] with val [%s]: %w", k, fieldVal, err)
+			}
+		}
+	}
+
+	if authenticators, authOk := resp.Data[consts.FieldAuthenticators]; authOk {
+		if err := d.Set(consts.FieldAuthenticators, []interface{}{authenticators}); err != nil {
+			return fmt.Errorf("failed setting field [%s] with val [%s]: %w", consts.FieldAuthenticators, authenticators, err)
+		}
+	}
+
+	return nil
+}
+
+// verifyPkiEstFeatureSupported verifies that we are talking to a Vault enterprise edition
+// and its version 1.16.0 or higher, returns nil if the above is met, otherwise an error
+func verifyPkiEstFeatureSupported(meta interface{}) error {
+	currentVersion := meta.(*provider.ProviderMeta).GetVaultVersion()
+
+	minVersion := provider.VaultVersion116
+	if !provider.IsAPISupported(meta, minVersion) {
+		return fmt.Errorf("feature not enabled on current Vault version. min version required=%s; "+
+			"current vault version=%s", minVersion, currentVersion)
+	}
+
+	if !provider.IsEnterpriseSupported(meta) {
+		return errors.New("feature requires Vault Enterprise")
+	}
+	return nil
+}
+
+func pkiSecretBackendConfigEstPath(backend string) string {
+	return strings.Trim(backend, "/") + "/config/est"
+}
diff --git a/vault/data_source_pki_secret_backend_config_est_test.go b/vault/data_source_pki_secret_backend_config_est_test.go
new file mode 100644
index 000000000..5fc8e91c8
--- /dev/null
+++ b/vault/data_source_pki_secret_backend_config_est_test.go
@@ -0,0 +1,52 @@
+package vault
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/terraform-provider-vault/testutil"
+)
+
+func TestAccDataSourcePKISecretConfigEst(t *testing.T) {
+	backend := acctest.RandomWithPrefix("tf-test-pki-backend")
+	dataName := "data.vault_pki_secret_backend_config_est.test"
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion116)
+		},
+		Steps: []resource.TestStep{
+			{
+				// Note this is more thoroughly tested within TestAccPKISecretBackendConfigEst_basic
+				// we don't want to start having test failures if Vault changes default values.
+				Config: testPKISecretEmptyEstConfigDataSource(backend),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldEnabled),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldDefaultMount),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldEnableSentinelParsing),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
+				),
+			},
+		},
+	})
+}
+
+func testPKISecretEmptyEstConfigDataSource(path string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "test" {
+	path        = "%s"
+	type        = "pki"
+    description = "PKI secret engine mount"
+}
+
+data "vault_pki_secret_backend_config_est" "test" {
+  backend = vault_mount.test.path
+}`, path)
+}
diff --git a/vault/provider.go b/vault/provider.go
index 55db5c6ec..f64faf555 100644
--- a/vault/provider.go
+++ b/vault/provider.go
@@ -167,6 +167,10 @@ var (
 			Resource:      UpdateSchemaResource(raftAutopilotStateDataSource()),
 			PathInventory: []string{"/sys/storage/raft/autopilot/state"},
 		},
+		"vault_pki_secret_backend_config_est": {
+			Resource:      UpdateSchemaResource(pkiSecretBackendConfigEstDataSource()),
+			PathInventory: []string{"/pki/config/est"},
+		},
 		"vault_pki_secret_backend_issuer": {
 			Resource:      UpdateSchemaResource(pkiSecretBackendIssuerDataSource()),
 			PathInventory: []string{"/pki/issuer/{issuer_ref}"},
@@ -583,6 +587,10 @@ var (
 			Resource:      UpdateSchemaResource(pkiSecretBackendConfigClusterResource()),
 			PathInventory: []string{"/pki/config/cluster"},
 		},
+		"vault_pki_secret_backend_config_est": {
+			Resource:      UpdateSchemaResource(pkiSecretBackendConfigEstResource()),
+			PathInventory: []string{"/pki/config/est"},
+		},
 		"vault_pki_secret_backend_config_urls": {
 			Resource:      UpdateSchemaResource(pkiSecretBackendConfigUrlsResource()),
 			PathInventory: []string{"/pki/config/urls"},
diff --git a/vault/resource_pki_secret_backend_config_est.go b/vault/resource_pki_secret_backend_config_est.go
new file mode 100644
index 000000000..eb1232edb
--- /dev/null
+++ b/vault/resource_pki_secret_backend_config_est.go
@@ -0,0 +1,178 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package vault
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+)
+
+func pkiSecretBackendConfigEstResource() *schema.Resource {
+	return &schema.Resource{
+		Description:   "Manages Vault PKI EST configuration",
+		CreateContext: provider.MountCreateContextWrapper(pkiSecretBackendConfigEstWrite, provider.VaultVersion116),
+		UpdateContext: pkiSecretBackendConfigEstWrite,
+		ReadContext:   pkiSecretBackendConfigEstRead,
+		DeleteContext: pkiSecretBackendConfigEstDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			consts.FieldBackend: {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The PKI secret backend the resource belongs to",
+				ForceNew:    true,
+			},
+			consts.FieldEnabled: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Specifies whether EST is enabled",
+			},
+			consts.FieldDefaultMount: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster",
+			},
+			consts.FieldDefaultPathPolicy: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>",
+			},
+			consts.FieldLabelToPathPolicy: {
+				Type:        schema.TypeMap,
+				Optional:    true,
+				Description: "Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths",
+			},
+			consts.FieldAuthenticators: {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Computed:    true,
+				Description: "Lists the mount accessors EST should delegate authentication requests towards",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"cert": {
+							Type:     schema.TypeMap,
+							Optional: true,
+						},
+						"userpass": {
+							Type:     schema.TypeMap,
+							Optional: true,
+						},
+					},
+				},
+				MaxItems: 1,
+			},
+			consts.FieldEnableSentinelParsing: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "If set, parse out fields from the provided CSR making them available for Sentinel policies",
+			},
+			consts.FieldAuditFields: {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Computed:    true,
+				Description: "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			consts.FieldLastUpdated: {
+				Type:        schema.TypeString,
+				Computed:    true, // read-only property
+				Description: "A read-only timestamp representing the last time the configuration was updated",
+			},
+		},
+	}
+}
+
+func pkiSecretBackendConfigEstWrite(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if err := verifyPkiEstFeatureSupported(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client, e := provider.GetClient(d, meta)
+	if e != nil {
+		return diag.FromErr(e)
+	}
+
+	backend := d.Get(consts.FieldBackend).(string)
+	path := pkiSecretBackendConfigEstPath(backend)
+
+	fieldsToSet := []string{
+		consts.FieldEnabled,
+		consts.FieldDefaultMount,
+		consts.FieldDefaultPathPolicy,
+		consts.FieldLabelToPathPolicy,
+		consts.FieldEnableSentinelParsing,
+		consts.FieldAuditFields,
+	}
+
+	data := map[string]interface{}{}
+	for _, field := range fieldsToSet {
+		if val, ok := d.GetOk(field); ok {
+			data[field] = val
+		}
+	}
+
+	if authenticatorsRaw, ok := d.GetOk(consts.FieldAuthenticators); ok {
+		authenticators := authenticatorsRaw.([]interface{})
+		var authenticator interface{}
+		if len(authenticators) > 0 {
+			authenticator = authenticators[0]
+		}
+
+		data[consts.FieldAuthenticators] = authenticator
+	}
+
+	log.Printf("[DEBUG] Updating EST config on PKI secret backend %q:\n%v", backend, data)
+	_, err := client.Logical().WriteWithContext(ctx, path, data)
+	if err != nil {
+		return diag.Errorf("error updating EST config for PKI secret backend %q: %s", backend, err)
+	}
+	log.Printf("[DEBUG] Updated EST config on PKI secret backend %q", backend)
+
+	d.SetId(path)
+
+	return pkiSecretBackendConfigEstRead(ctx, d, meta)
+}
+
+func pkiSecretBackendConfigEstRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	id := d.Id()
+	if id == "" {
+		return diag.FromErr(fmt.Errorf("no path set for import, id=%q", id))
+	}
+
+	backend := strings.TrimSuffix(id, "/config/est")
+	if err := d.Set("backend", backend); err != nil {
+		return diag.FromErr(fmt.Errorf("failed setting field [%s] with value [%v]: %w", "backend", backend, err))
+	}
+
+	if err := verifyPkiEstFeatureSupported(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client, err := provider.GetClient(d, meta)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed getting client: %w", err))
+	}
+
+	if err := readEstConfig(ctx, d, client, id); err != nil {
+		return diag.FromErr(err)
+	}
+	return nil
+}
+
+func pkiSecretBackendConfigEstDelete(_ context.Context, _ *schema.ResourceData, _ interface{}) diag.Diagnostics {
+	// There isn't any delete API for the EST config.
+	return nil
+}
diff --git a/vault/resource_pki_secret_backend_config_est_test.go b/vault/resource_pki_secret_backend_config_est_test.go
new file mode 100644
index 000000000..b25192818
--- /dev/null
+++ b/vault/resource_pki_secret_backend_config_est_test.go
@@ -0,0 +1,201 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package vault
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/terraform-provider-vault/testutil"
+)
+
+func TestAccPKISecretBackendConfigEst_Empty(t *testing.T) {
+	t.Parallel()
+
+	backend := acctest.RandomWithPrefix("tf-test-pki")
+	resourceType := "vault_pki_secret_backend_config_est"
+	resourceBackend := resourceType + ".test"
+	dataName := "data.vault_pki_secret_backend_config_est.test"
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion116)
+		},
+		CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypePKI, consts.FieldBackend),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPKISecretBackendConfigEstDisabled(backend),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldBackend, backend),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldEnabled, "false"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldDefaultMount, "false"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldDefaultPathPolicy, ""),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldLabelToPathPolicy+".%", "0"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".#", "1"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.%", "2"),
+					resource.TestCheckNoResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.cert"),
+					resource.TestCheckNoResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.userpass"),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
+
+					// Validate we read back the data back as we did upon creation
+					resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend),
+					resource.TestCheckResourceAttr(dataName, consts.FieldEnabled, "false"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldDefaultMount, "false"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldDefaultPathPolicy, ""),
+					resource.TestCheckResourceAttr(dataName, consts.FieldLabelToPathPolicy+".%", "0"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".#", "1"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.%", "2"),
+					resource.TestCheckNoResourceAttr(dataName, consts.FieldAuthenticators+".0.cert"),
+					resource.TestCheckNoResourceAttr(dataName, consts.FieldAuthenticators+".0.userpass"),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
+				),
+			},
+			testutil.GetImportTestStep(resourceBackend, false, nil),
+		},
+	})
+
+}
+
+func TestAccPKISecretBackendConfigEst_AllFields(t *testing.T) {
+	t.Parallel()
+
+	backend := acctest.RandomWithPrefix("tf-test-pki")
+	resourceType := "vault_pki_secret_backend_config_est"
+	resourceBackend := resourceType + ".test"
+	dataName := "data.vault_pki_secret_backend_config_est.test"
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion116)
+		},
+		CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypePKI, consts.FieldBackend),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPKISecretBackendConfigEstComplete(backend),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldBackend, backend),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldEnabled, "true"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldDefaultMount, "true"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldDefaultPathPolicy, "role:est-role"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldLabelToPathPolicy+".%", "2"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldLabelToPathPolicy+".test-label", "sign-verbatim"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldLabelToPathPolicy+".test-label-2", "role:est-role-2"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".#", "1"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.%", "2"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.cert.%", "2"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.cert.accessor", "test"),
+					// @TODO add these back in when Vault 1.16.3 is released (https://github.com/hashicorp/vault-enterprise/pull/5785)
+					// resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.cert.cert_role", "a-role"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.userpass.%", "1"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuthenticators+".0.userpass.accessor", "test2"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldEnableSentinelParsing, "true"),
+					resource.TestCheckResourceAttr(resourceBackend, consts.FieldAuditFields+".#", "20"),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
+
+					// Validate that the data property can read back everything filled in
+					resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend),
+					resource.TestCheckResourceAttr(dataName, consts.FieldEnabled, "true"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldDefaultMount, "true"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldDefaultPathPolicy, "role:est-role"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldLabelToPathPolicy+".%", "2"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldLabelToPathPolicy+".test-label", "sign-verbatim"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldLabelToPathPolicy+".test-label-2", "role:est-role-2"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".#", "1"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.%", "2"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.cert.%", "2"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.cert.accessor", "test"),
+					// @TODO add these back in when Vault 1.16.3 is released (https://github.com/hashicorp/vault-enterprise/pull/5785)
+					// resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.cert.cert_role", "a-role"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.userpass.%", "1"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuthenticators+".0.userpass.accessor", "test2"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldEnableSentinelParsing, "true"),
+					resource.TestCheckResourceAttr(dataName, consts.FieldAuditFields+".#", "20"),
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastUpdated),
+				),
+			},
+			testutil.GetImportTestStep(resourceBackend, false, nil),
+		},
+	})
+}
+
+func testAccPKISecretBackendConfigEstComplete(pkiPath string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "test" {
+	path        = "%s"
+	type        = "pki"
+    description = "PKI secret engine mount"
+}
+
+resource "vault_pki_secret_backend_role" "est_role" {
+  backend = vault_mount.test.path
+  name = "est-role"
+  ttl = 3600
+  key_type = "ec"
+  key_bits = "256"
+}
+
+resource "vault_pki_secret_backend_role" "est_role_2" {
+  backend = vault_mount.test.path
+  name = "est-role-2"
+  ttl = 3600
+  key_type = "ec"
+  key_bits = "256"
+}
+
+resource "vault_pki_secret_backend_config_est" "test" {
+  backend = vault_mount.test.path
+  enabled = true
+  default_mount = true
+  default_path_policy = format("role:%%s", vault_pki_secret_backend_role.est_role.name)
+  label_to_path_policy = {
+     "test-label": "sign-verbatim",
+     "test-label-2": format("role:%%s", vault_pki_secret_backend_role.est_role_2.name)
+  }
+  authenticators { 
+	# @TODO add these back in when Vault 1.16.3 is released (https://github.com/hashicorp/vault-enterprise/pull/5785)
+	# cert = { "accessor" = "test", "cert_role" = "a-role" }
+	cert = { "accessor" = "test", "cert_role" = "" }
+	userpass = { "accessor" = "test2" } 
+  }	
+  enable_sentinel_parsing = true
+  audit_fields = ["csr", "common_name", "alt_names", "ip_sans", "uri_sans", "other_sans",
+                  "signature_bits", "exclude_cn_from_sans", "ou", "organization", "country", 
+                  "locality", "province", "street_address", "postal_code", "serial_number",
+                  "use_pss", "key_type", "key_bits", "add_basic_constraints"]
+}
+
+data "vault_pki_secret_backend_config_est" "test" {
+  backend = vault_pki_secret_backend_config_est.test.backend	
+}
+`, pkiPath)
+}
+
+func testAccPKISecretBackendConfigEstDisabled(path string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "test" {
+	path        = "%s"
+	type        = "pki"
+    description = "PKI secret engine mount"
+}
+
+resource "vault_pki_secret_backend_config_est" "test" {
+  backend = vault_mount.test.path
+}
+
+data "vault_pki_secret_backend_config_est" "test" {
+  backend = vault_pki_secret_backend_config_est.test.backend	
+}
+`, path)
+}
diff --git a/website/docs/d/pki_secret_backend_config_est.html.md b/website/docs/d/pki_secret_backend_config_est.html.md
new file mode 100644
index 000000000..ab8799a89
--- /dev/null
+++ b/website/docs/d/pki_secret_backend_config_est.html.md
@@ -0,0 +1,70 @@
+---
+layout: "vault"
+page_title: "Vault: vault_pki_secret_backend_config_est data source"
+sidebar_current: "docs-vault-datasource-pki-secret-backend-config-est"
+description: |-
+ Reads the PKI EST configuration from Vault Enterprise. 
+---
+
+# vault\_pki\_secret\_backend\_config\_est
+
+Reads the PKI EST configuration from Vault Enterprise.
+
+~> **Important** All data retrieved from Vault will be
+written in cleartext to state file generated by Terraform, will appear in
+the console output when Terraform runs, and may be included in plan files
+if secrets are interpolated into any resource attributes.
+Protect these artifacts accordingly. See
+[the main provider documentation](../index.html)
+for more details.
+
+## Example Usage
+
+```hcl
+resource "vault_mount" "pki" {
+  path        = "pki"
+  type        = "pki"
+  description = "PKI secret engine mount"
+}
+
+data "vault_pki_secret_backend_config_est" "est_config" {
+  backend     = vault_mount.pki.path
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `namespace` - (Optional) The namespace of the target resource.
+  The value should not contain leading or trailing forward slashes.
+  The `namespace` is always relative to the provider's configured [namespace](/docs/providers/vault/index.html#namespace).
+  *Available only for Vault Enterprise*.
+
+* `backend` - (Required) The path to the PKI secret backend to
+  read the EST configuration from, with no leading or trailing `/`s.
+ 
+## Attributes Reference
+
+* `authenticators` - Lists the mount accessors EST should delegate authentication requests towards (see [below for nested schema](#nestedatt--authenticators)).
+ 
+* `default_mount` -  If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster.
+ 
+* `default_path_policy` - Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>.
+ 
+* `enable_sentinel_parsing` - If set, parse out fields from the provided CSR making them available for Sentinel policies.
+
+* `enabled` - Specifies whether EST is enabled.
+ 
+* `label_to_path_policy` - A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths.
+ 
+* `audit_fields` - Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.
+ 
+* `last_updated` - A read-only timestamp representing the last time the configuration was updated.
+
+<a id="nestedatt--authenticators"></a>
+### Nested Schema for `authenticators`
+
+* `cert` - "The accessor and cert_role properties for cert auth backends".
+ 
+* `userpass` - "The accessor property for user pass auth backends".
diff --git a/website/docs/r/pki_secret_backend_config_est.html.md b/website/docs/r/pki_secret_backend_config_est.html.md
new file mode 100644
index 000000000..1f91a7e8f
--- /dev/null
+++ b/website/docs/r/pki_secret_backend_config_est.html.md
@@ -0,0 +1,109 @@
+---
+layout: "vault"
+page_title: "Vault: vault_pki_secret_backend_config_est resource"
+sidebar_current: "docs-vault-resource-pki-secret-backend-config-est"
+description: |-
+  Sets the EST configuration on a PKI Secret Backend for Vault.
+---
+
+# vault\_pki\_secret\_backend\_config\_est
+
+Allows setting the EST configuration on a PKI Secret Backend
+
+## Example Usage
+
+```hcl
+resource "vault_mount" "pki" {
+  path        = "pki-root"
+  type        = "pki"
+  description = "PKI secret engine mount"
+}
+
+resource "vault_pki_secret_backend_role" "est_role" {
+  backend = vault_mount.pki.path
+  name = "est-role"
+  ttl = 3600
+  key_type = "ec"
+  key_bits = "256"
+}
+
+resource "vault_pki_secret_backend_role" "est_role_2" {
+  backend = vault_mount.pki.path
+  name = "est-role-2"
+  ttl = 3600
+  key_type = "ec"
+  key_bits = "256"
+}
+
+resource "vault_pki_secret_backend_config_est" "example" {
+  backend = vault_mount.pki.path
+  enabled = true
+  default_mount = true
+  default_path_policy = format("role:%s", vault_pki_secret_backend_role.est_role.name)
+  label_to_path_policy = {
+     "test-label": "sign-verbatim",
+     "test-label-2": format("role:%s", vault_pki_secret_backend_role.est_role_2.name)
+  }
+  authenticators { 
+	cert = { 
+      "accessor" = "test", 
+      "cert_role" = "cert-auth-role" 
+    } 
+	userpass = { 
+      "accessor" = "test2" 
+    } 
+  }
+  enable_sentinel_parsing = true
+  audit_fields = ["csr", "common_name", "alt_names", "ip_sans", "uri_sans", "other_sans",
+    "signature_bits", "exclude_cn_from_sans", "ou", "organization", "country",
+    "locality", "province", "street_address", "postal_code", "serial_number",
+    "use_pss", "key_type", "key_bits", "add_basic_constraints"]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `namespace` - (Optional) The namespace of the target resource.
+  The value should not contain leading or trailing forward slashes.
+  The `namespace` is always relative to the provider's configured [namespace](/docs/providers/vault/index.html#namespace).
+  *Available only for Vault Enterprise*.
+
+* `backend` - (Required) The path to the PKI secret backend to
+  read the EST configuration from, with no leading or trailing `/`s.
+
+* `authenticators` - (Optional) Lists the mount accessors EST should delegate authentication requests towards (see [below for nested schema](#nestedatt--authenticators)).
+
+* `default_mount` - (Optional) If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster.
+
+* `default_path_policy` - (Optional) Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>.
+
+* `enable_sentinel_parsing` - (Optional) If set, parse out fields from the provided CSR making them available for Sentinel policies.
+
+* `enabled` - (Optional) Specifies whether EST is enabled.
+
+* `label_to_path_policy` - (Optional) Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths.
+
+* `audit_fields` - (Optional) Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.
+
+<a id="nestedatt--authenticators"></a>
+### Nested Schema for `authenticators`
+
+* `cert` - "The accessor (required) and cert_role (optional) properties for cert auth backends".
+
+* `userpass` - "The accessor (required) property for user pass auth backends".
+
+## Attributes Reference
+
+* `last_updated` - A read-only timestamp representing the last time the configuration was updated.
+
+## Import
+
+The PKI config cluster can be imported using the resource's `id`.
+In the case of the example above the `id` would be `pki-root/config/est`,
+where the `pki-root` component is the resource's `backend`, e.g.
+
+```
+$ terraform import vault_pki_secret_backend_config_est.example pki-root/config/est
+```
diff --git a/website/vault.erb b/website/vault.erb
index 6d9127a7a..e7d1fdfce 100644
--- a/website/vault.erb
+++ b/website/vault.erb
@@ -129,6 +129,10 @@
                             <a href="/docs/providers/vault/d/policy_document.html">vault_policy_document</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-vault-datasource-pki-secret-backend-config-est") %>>
+                            <a href="/docs/providers/vault/d/pki_secret_backend_config_est.html">pki_secret_backend_config_est</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-vault-datasource-pki-secret-backend-issuer") %>>
                             <a href="/docs/providers/vault/d/pki_secret_backend_issuer.html">pki_secret_backend_issuer</a>
                         </li>
@@ -553,6 +557,10 @@
                             <a href="/docs/providers/vault/r/pki_secret_backend_config_cluster.html">vault_pki_secret_backend_config_cluster</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-vault-resource-pki-secret-backend-config-est") %>>
+                            <a href="/docs/providers/vault/r/pki_secret_backend_config_est.html">vault_pki_secret_backend_config_est</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-vault-resource-pki-secret-backend-config-urls") %>>
                             <a href="/docs/providers/vault/r/pki_secret_backend_config_urls.html">vault_pki_secret_backend_config_urls</a>
                         </li>