From e226efa79903d9e257c5a3ba4df76363cc722417 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 17 Nov 2023 16:35:12 -0500
Subject: [PATCH 1/3] Update soup

---
 salt/manager/tools/sbin/soup | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index c9d4b1936..9b27ec82c 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -450,6 +450,8 @@ post_to_2.4.20() {
 post_to_2.4.30() {
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
+  stop_salt_minion
+  systemctl_func "start" "salt-minion"
   POSTVERSION=2.4.30
 }
 
@@ -753,7 +755,13 @@ apply_hotfix() {
 
     elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints
     /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
-    salt-call state.highstate
+    salt-call state.apply ca queue=True
+    stop_salt_minion
+    mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+    mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
+    systemctl_func "start" "salt-minion"
+    echo "Applying Salt Highstate"
+    salt-call state.highstate queue=True  
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
   fi

From 4fb9cce41ce34a19136c1d06bcead0a2777c4912 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 17 Nov 2023 16:38:50 -0500
Subject: [PATCH 2/3] Update signing_policies.conf

---
 salt/ca/files/signing_policies.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
index cb57cc640..6f1b1f172 100644
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

From d89beefc8cdc65f1ac4d684aba4537da8ce1020b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 17 Nov 2023 16:53:11 -0500
Subject: [PATCH 3/3] Update soup

---
 salt/manager/tools/sbin/soup | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 9b27ec82c..dc28cffd1 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -450,7 +450,10 @@ post_to_2.4.20() {
 post_to_2.4.30() {
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
+  salt-call state.apply ca queue=True
   stop_salt_minion
+  mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
+  mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
   systemctl_func "start" "salt-minion"
   POSTVERSION=2.4.30
 }