diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client
index b22c06340..ff8543368 100755
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -3,6 +3,7 @@
 'use strict';
 
 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
+import { query } from 'resolv';
 import * as fs from 'fs';
 import * as libuci from 'uci';
 
@@ -11,7 +12,49 @@ let store_operational_ca = false;
 let est_server = 'est.certificates.open-lan.org';
 let cert_prefix = 'operational';
 
+function discover_est_server_via_caa() {
+	let cloud_config = fs.readfile('/tmp/cloud.json');
+	if (!cloud_config)
+		return null;
+
+	let cloud = json(cloud_config);
+	if (!cloud || !cloud.dhcp_server)
+		return null;
+
+	let controller_fqdn = cloud.dhcp_server;
+	let fqdn_parts = split(controller_fqdn, ':');
+	if (length(fqdn_parts) > 0)
+		controller_fqdn = fqdn_parts[0];
+
+	ulog(LOG_INFO, `Attempting CAA lookup for controller FQDN: ${controller_fqdn}\n`);
+
+	let result = query([controller_fqdn], { type: ['CAA'] });
+
+	if (!result || !result[controller_fqdn] || !result[controller_fqdn].CAA)
+		return null;
+
+	let caa_records = result[controller_fqdn].CAA;
+
+	for (let record in caa_records) {
+		if (record.tag == 'issue') {
+			let est_server = trim(record.value, '" ');
+			ulog(LOG_INFO, `Found EST server via CAA: ${est_server}\n`);
+			return est_server;
+		}
+	}
+
+	return null;
+}
+
 function set_est_server() {
+	let discovered_server = discover_est_server_via_caa();
+	if (discovered_server) {
+		est_server = discovered_server;
+		return;
+	}
+
+	ulog(LOG_INFO, 'No EST server found via CAA, using certificate issuer-based selection\n');
+
 	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
 	let issuer = pipe.read("all");
 	pipe.close();