diff --git a/Makefile b/Makefile
index 3bde62a..e949a94 100644
--- a/Makefile
+++ b/Makefile
@@ -39,6 +39,7 @@ plugin-protos := \
 	proto/spire/plugin/agent/keymanager/v1/keymanager.proto \
 	proto/spire/plugin/agent/nodeattestor/v1/nodeattestor.proto \
 	proto/spire/plugin/agent/svidstore/v1/svidstore.proto \
+	proto/spire/plugin/agent/serverattestor/v1/serverattestor.proto \
 	proto/spire/plugin/agent/workloadattestor/v1/workloadattestor.proto \
 	proto/spire/plugin/server/bundlepublisher/v1/bundlepublisher.proto \
 	proto/spire/plugin/server/credentialcomposer/v1/credentialcomposer.proto \
diff --git a/proto/spire/plugin/agent/serverattestor/v1/serverattestor.pb.go b/proto/spire/plugin/agent/serverattestor/v1/serverattestor.pb.go
new file mode 100644
index 0000000..fafddba
--- /dev/null
+++ b/proto/spire/plugin/agent/serverattestor/v1/serverattestor.pb.go
@@ -0,0 +1,348 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v3.20.1
+// source: spire/plugin/agent/serverattestor/v1/serverattestor.proto
+
+package sviserverattestorv1
+
+import (
+	types "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Use int32
+
+const (
+	Use_UNSPECIFIED Use = 0
+	Use_BOOTSTRAP   Use = 1
+	Use_REBOOTSTRAP Use = 2
+)
+
+// Enum value maps for Use.
+var (
+	Use_name = map[int32]string{
+		0: "UNSPECIFIED",
+		1: "BOOTSTRAP",
+		2: "REBOOTSTRAP",
+	}
+	Use_value = map[string]int32{
+		"UNSPECIFIED": 0,
+		"BOOTSTRAP":   1,
+		"REBOOTSTRAP": 2,
+	}
+)
+
+func (x Use) Enum() *Use {
+	p := new(Use)
+	*p = x
+	return p
+}
+
+func (x Use) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Use) Descriptor() protoreflect.EnumDescriptor {
+	return file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_enumTypes[0].Descriptor()
+}
+
+func (Use) Type() protoreflect.EnumType {
+	return &file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_enumTypes[0]
+}
+
+func (x Use) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Use.Descriptor instead.
+func (Use) EnumDescriptor() ([]byte, []int) {
+	return file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescGZIP(), []int{0}
+}
+
+type GetTrustBundleRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Hint for which type of action this trust bundle will be used for
+	UseHint Use `protobuf:"varint,1,opt,name=use_hint,json=useHint,proto3,enum=spire.plugin.agent.serverattestor.v1.Use" json:"use_hint,omitempty"`
+	// Optional server url that is being used with the retrieved bundle
+	ServerUrl string `protobuf:"bytes,2,opt,name=server_url,json=serverUrl,proto3" json:"server_url,omitempty"`
+	// How many connection attempts to the server have been made so far
+	ConnectionAttempts int32 `protobuf:"varint,3,opt,name=connection_attempts,json=connectionAttempts,proto3" json:"connection_attempts,omitempty"`
+	// When was (re)bootstrapping started
+	Starttime *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=starttime,proto3" json:"starttime,omitempty"`
+}
+
+func (x *GetTrustBundleRequest) Reset() {
+	*x = GetTrustBundleRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetTrustBundleRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetTrustBundleRequest) ProtoMessage() {}
+
+func (x *GetTrustBundleRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetTrustBundleRequest.ProtoReflect.Descriptor instead.
+func (*GetTrustBundleRequest) Descriptor() ([]byte, []int) {
+	return file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *GetTrustBundleRequest) GetUseHint() Use {
+	if x != nil {
+		return x.UseHint
+	}
+	return Use_UNSPECIFIED
+}
+
+func (x *GetTrustBundleRequest) GetServerUrl() string {
+	if x != nil {
+		return x.ServerUrl
+	}
+	return ""
+}
+
+func (x *GetTrustBundleRequest) GetConnectionAttempts() int32 {
+	if x != nil {
+		return x.ConnectionAttempts
+	}
+	return 0
+}
+
+func (x *GetTrustBundleRequest) GetStarttime() *timestamppb.Timestamp {
+	if x != nil {
+		return x.Starttime
+	}
+	return nil
+}
+
+type GetTrustBundleResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The trust bundle to use to talk to the server
+	Bundle *types.Bundle `protobuf:"bytes,1,opt,name=bundle,proto3" json:"bundle,omitempty"`
+	// Use the insecure bootstrap method
+	InsecureBootstrap bool `protobuf:"varint,2,opt,name=insecure_bootstrap,json=insecureBootstrap,proto3" json:"insecure_bootstrap,omitempty"`
+}
+
+func (x *GetTrustBundleResponse) Reset() {
+	*x = GetTrustBundleResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetTrustBundleResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetTrustBundleResponse) ProtoMessage() {}
+
+func (x *GetTrustBundleResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetTrustBundleResponse.ProtoReflect.Descriptor instead.
+func (*GetTrustBundleResponse) Descriptor() ([]byte, []int) {
+	return file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GetTrustBundleResponse) GetBundle() *types.Bundle {
+	if x != nil {
+		return x.Bundle
+	}
+	return nil
+}
+
+func (x *GetTrustBundleResponse) GetInsecureBootstrap() bool {
+	if x != nil {
+		return x.InsecureBootstrap
+	}
+	return false
+}
+
+var File_spire_plugin_agent_serverattestor_v1_serverattestor_proto protoreflect.FileDescriptor
+
+var file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDesc = []byte{
+	0x0a, 0x39, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x61,
+	0x67, 0x65, 0x6e, 0x74, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x74, 0x74, 0x65, 0x73,
+	0x74, 0x6f, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x74, 0x74,
+	0x65, 0x73, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x24, 0x73, 0x70, 0x69,
+	0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x6f, 0x72, 0x2e, 0x76,
+	0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x1a, 0x1f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x22, 0xe7, 0x01, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74,
+	0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x44, 0x0a,
+	0x08, 0x75, 0x73, 0x65, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32,
+	0x29, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x61,
+	0x67, 0x65, 0x6e, 0x74, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x74, 0x74, 0x65, 0x73,
+	0x74, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x52, 0x07, 0x75, 0x73, 0x65, 0x48,
+	0x69, 0x6e, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x75, 0x72,
+	0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x55,
+	0x72, 0x6c, 0x12, 0x2f, 0x0a, 0x13, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x5f, 0x61, 0x74, 0x74, 0x65, 0x6d, 0x70, 0x74, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52,
+	0x12, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x65, 0x6d,
+	0x70, 0x74, 0x73, 0x12, 0x38, 0x0a, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x74, 0x69, 0x6d, 0x65,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+	0x6d, 0x70, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x74, 0x69, 0x6d, 0x65, 0x22, 0x7b, 0x0a,
+	0x16, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e,
+	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x42, 0x75, 0x6e,
+	0x64, 0x6c, 0x65, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x2d, 0x0a, 0x12, 0x69,
+	0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61,
+	0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72,
+	0x65, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x2a, 0x36, 0x0a, 0x03, 0x55, 0x73,
+	0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44,
+	0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x10,
+	0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x52, 0x45, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50,
+	0x10, 0x02, 0x32, 0x9e, 0x01, 0x0a, 0x0e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x74, 0x74,
+	0x65, 0x73, 0x74, 0x6f, 0x72, 0x12, 0x8b, 0x01, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75,
+	0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x3b, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65,
+	0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x73, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e,
+	0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74,
+	0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x42, 0x63, 0x5a, 0x61, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2d, 0x70,
+	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f,
+	0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x61, 0x67, 0x65,
+	0x6e, 0x74, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x6f,
+	0x72, 0x2f, 0x76, 0x31, 0x3b, 0x73, 0x76, 0x69, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x74,
+	0x74, 0x65, 0x73, 0x74, 0x6f, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescOnce sync.Once
+	file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescData = file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDesc
+)
+
+func file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescGZIP() []byte {
+	file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescOnce.Do(func() {
+		file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescData = protoimpl.X.CompressGZIP(file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescData)
+	})
+	return file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDescData
+}
+
+var file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_goTypes = []interface{}{
+	(Use)(0),                       // 0: spire.plugin.agent.serverattestor.v1.Use
+	(*GetTrustBundleRequest)(nil),  // 1: spire.plugin.agent.serverattestor.v1.GetTrustBundleRequest
+	(*GetTrustBundleResponse)(nil), // 2: spire.plugin.agent.serverattestor.v1.GetTrustBundleResponse
+	(*timestamppb.Timestamp)(nil),  // 3: google.protobuf.Timestamp
+	(*types.Bundle)(nil),           // 4: spire.plugin.types.Bundle
+}
+var file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_depIdxs = []int32{
+	0, // 0: spire.plugin.agent.serverattestor.v1.GetTrustBundleRequest.use_hint:type_name -> spire.plugin.agent.serverattestor.v1.Use
+	3, // 1: spire.plugin.agent.serverattestor.v1.GetTrustBundleRequest.starttime:type_name -> google.protobuf.Timestamp
+	4, // 2: spire.plugin.agent.serverattestor.v1.GetTrustBundleResponse.bundle:type_name -> spire.plugin.types.Bundle
+	1, // 3: spire.plugin.agent.serverattestor.v1.ServerAttestor.GetTrustBundle:input_type -> spire.plugin.agent.serverattestor.v1.GetTrustBundleRequest
+	2, // 4: spire.plugin.agent.serverattestor.v1.ServerAttestor.GetTrustBundle:output_type -> spire.plugin.agent.serverattestor.v1.GetTrustBundleResponse
+	4, // [4:5] is the sub-list for method output_type
+	3, // [3:4] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_init() }
+func file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_init() {
+	if File_spire_plugin_agent_serverattestor_v1_serverattestor_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetTrustBundleRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetTrustBundleResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDesc,
+			NumEnums:      1,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_goTypes,
+		DependencyIndexes: file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_depIdxs,
+		EnumInfos:         file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_enumTypes,
+		MessageInfos:      file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_msgTypes,
+	}.Build()
+	File_spire_plugin_agent_serverattestor_v1_serverattestor_proto = out.File
+	file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_rawDesc = nil
+	file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_goTypes = nil
+	file_spire_plugin_agent_serverattestor_v1_serverattestor_proto_depIdxs = nil
+}
diff --git a/proto/spire/plugin/agent/serverattestor/v1/serverattestor.proto b/proto/spire/plugin/agent/serverattestor/v1/serverattestor.proto
new file mode 100644
index 0000000..90cbe5e
--- /dev/null
+++ b/proto/spire/plugin/agent/serverattestor/v1/serverattestor.proto
@@ -0,0 +1,42 @@
+syntax = "proto3";
+package spire.plugin.agent.serverattestor.v1;
+option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/serverattestor/v1;sviserverattestorv1";
+
+import "google/protobuf/timestamp.proto";
+import "spire/plugin/types/bundle.proto";
+    
+service ServerAttestor {
+    // Get an up to date Trust Bundle for the initial contact with the server
+    rpc GetTrustBundle(GetTrustBundleRequest) returns (GetTrustBundleResponse);
+}
+
+message GetTrustBundleRequest {
+    // Information the Attestor may or may not use when determining the best
+    // trust bundle to use to contact the server
+
+    // Hint for which type of action this trust bundle will be used for
+    Use use_hint = 1;
+
+    // Optional server url that is being used with the retrieved bundle
+    string server_url = 2;
+
+    // How many connection attempts to the server have been made so far
+    int32 connection_attempts = 3;
+
+    // When was (re)bootstrapping started
+    google.protobuf.Timestamp starttime = 4;
+}
+
+message GetTrustBundleResponse {
+    // The trust bundle to use to talk to the server
+    spire.plugin.types.Bundle bundle = 1;
+
+    // Use the insecure bootstrap method
+    bool insecure_bootstrap = 2;
+}
+
+enum Use {
+    UNSPECIFIED = 0;
+    BOOTSTRAP = 1;
+    REBOOTSTRAP = 2;
+}
diff --git a/proto/spire/plugin/agent/serverattestor/v1/serverattestor_grpc.pb.go b/proto/spire/plugin/agent/serverattestor/v1/serverattestor_grpc.pb.go
new file mode 100644
index 0000000..9034a29
--- /dev/null
+++ b/proto/spire/plugin/agent/serverattestor/v1/serverattestor_grpc.pb.go
@@ -0,0 +1,103 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package sviserverattestorv1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// ServerAttestorClient is the client API for ServerAttestor service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type ServerAttestorClient interface {
+	// Get an up to date Trust Bundle for the initial contact with the server
+	GetTrustBundle(ctx context.Context, in *GetTrustBundleRequest, opts ...grpc.CallOption) (*GetTrustBundleResponse, error)
+}
+
+type serverAttestorClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewServerAttestorClient(cc grpc.ClientConnInterface) ServerAttestorClient {
+	return &serverAttestorClient{cc}
+}
+
+func (c *serverAttestorClient) GetTrustBundle(ctx context.Context, in *GetTrustBundleRequest, opts ...grpc.CallOption) (*GetTrustBundleResponse, error) {
+	out := new(GetTrustBundleResponse)
+	err := c.cc.Invoke(ctx, "/spire.plugin.agent.serverattestor.v1.ServerAttestor/GetTrustBundle", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ServerAttestorServer is the server API for ServerAttestor service.
+// All implementations must embed UnimplementedServerAttestorServer
+// for forward compatibility
+type ServerAttestorServer interface {
+	// Get an up to date Trust Bundle for the initial contact with the server
+	GetTrustBundle(context.Context, *GetTrustBundleRequest) (*GetTrustBundleResponse, error)
+	mustEmbedUnimplementedServerAttestorServer()
+}
+
+// UnimplementedServerAttestorServer must be embedded to have forward compatible implementations.
+type UnimplementedServerAttestorServer struct {
+}
+
+func (UnimplementedServerAttestorServer) GetTrustBundle(context.Context, *GetTrustBundleRequest) (*GetTrustBundleResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetTrustBundle not implemented")
+}
+func (UnimplementedServerAttestorServer) mustEmbedUnimplementedServerAttestorServer() {}
+
+// UnsafeServerAttestorServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ServerAttestorServer will
+// result in compilation errors.
+type UnsafeServerAttestorServer interface {
+	mustEmbedUnimplementedServerAttestorServer()
+}
+
+func RegisterServerAttestorServer(s grpc.ServiceRegistrar, srv ServerAttestorServer) {
+	s.RegisterService(&ServerAttestor_ServiceDesc, srv)
+}
+
+func _ServerAttestor_GetTrustBundle_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetTrustBundleRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ServerAttestorServer).GetTrustBundle(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/spire.plugin.agent.serverattestor.v1.ServerAttestor/GetTrustBundle",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ServerAttestorServer).GetTrustBundle(ctx, req.(*GetTrustBundleRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ServerAttestor_ServiceDesc is the grpc.ServiceDesc for ServerAttestor service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ServerAttestor_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "spire.plugin.agent.serverattestor.v1.ServerAttestor",
+	HandlerType: (*ServerAttestorServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetTrustBundle",
+			Handler:    _ServerAttestor_GetTrustBundle_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "spire/plugin/agent/serverattestor/v1/serverattestor.proto",
+}
diff --git a/proto/spire/plugin/agent/serverattestor/v1/serverattestor_spire_plugin.pb.go b/proto/spire/plugin/agent/serverattestor/v1/serverattestor_spire_plugin.pb.go
new file mode 100644
index 0000000..ff1c77c
--- /dev/null
+++ b/proto/spire/plugin/agent/serverattestor/v1/serverattestor_spire_plugin.pb.go
@@ -0,0 +1,50 @@
+// Code generated by protoc-gen-go-spire. DO NOT EDIT.
+
+package sviserverattestorv1
+
+import (
+	pluginsdk "github.com/spiffe/spire-plugin-sdk/pluginsdk"
+	grpc "google.golang.org/grpc"
+)
+
+func ServerAttestorPluginServer(server ServerAttestorServer) pluginsdk.PluginServer {
+	return serverAttestorPluginServer{ServerAttestorServer: server}
+}
+
+type serverAttestorPluginServer struct {
+	ServerAttestorServer
+}
+
+func (s serverAttestorPluginServer) Type() string {
+	return "ServerAttestor"
+}
+
+func (s serverAttestorPluginServer) GRPCServiceName() string {
+	return "spire.plugin.agent.serverattestor.v1.ServerAttestor"
+}
+
+func (s serverAttestorPluginServer) RegisterServer(server *grpc.Server) interface{} {
+	RegisterServerAttestorServer(server, s.ServerAttestorServer)
+	return s.ServerAttestorServer
+}
+
+type ServerAttestorPluginClient struct {
+	ServerAttestorClient
+}
+
+func (s ServerAttestorPluginClient) Type() string {
+	return "ServerAttestor"
+}
+
+func (c *ServerAttestorPluginClient) IsInitialized() bool {
+	return c.ServerAttestorClient != nil
+}
+
+func (c *ServerAttestorPluginClient) GRPCServiceName() string {
+	return "spire.plugin.agent.serverattestor.v1.ServerAttestor"
+}
+
+func (c *ServerAttestorPluginClient) InitClient(conn grpc.ClientConnInterface) interface{} {
+	c.ServerAttestorClient = NewServerAttestorClient(conn)
+	return c.ServerAttestorClient
+}