diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py
index f0e7d5ced..ab47ae85d 100644
--- a/ipaclient/plugins/ca.py
+++ b/ipaclient/plugins/ca.py
@@ -33,13 +33,24 @@ class WithCertOutArgs(MethodOverride):
                                              error=str(e))
 
         result = super(WithCertOutArgs, self).forward(*keys, **options)
+
         if filename:
+            # if result certificate / certificate_chain not present in result,
+            # it means Dogtag did not provide it (probably due to LWCA key
+            # replication lag or failure.  The server transmits a warning
+            # message in this case, which the client automatically prints.
+            # So in this section we just ignore it and move on.
+            certs = None
             if options.get('chain', False):
-                certs = result['result']['certificate_chain']
+                if 'certificate_chain' in result['result']:
+                    certs = result['result']['certificate_chain']
             else:
-                certs = [base64.b64decode(result['result']['certificate'])]
-            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
-            x509.write_certificate_list(certs, filename)
+                if 'certificate' in result['result']:
+                    certs = [base64.b64decode(result['result']['certificate'])]
+            if certs:
+                x509.write_certificate_list(
+                    (x509.load_der_x509_certificate(cert) for cert in certs),
+                    filename)
 
         return result
 
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 8567134ac..f7df9c28d 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -487,6 +487,15 @@ class FailedToAddHostDNSRecords(PublicMessage):
                "%(reason)s")
 
 
+class LightweightCACertificateNotAvailable(PublicMessage):
+    """
+    **13031** Certificate is not available
+    """
+    errno = 13031
+    type = "error"
+    format = _("The certificate for %(ca)s is not available on this server.")
+
+
 def iter_messages(variables, base):
     """Return a tuple with all subclasses
     """
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 88e7ec2a9..c8f1630c6 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -6,7 +6,7 @@ import base64
 
 import six
 
-from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
+from ipalib import api, errors, messages, output, Bytes, DNParam, Flag, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from ipapython.dn import ATTR_NAME_BY_OID
@@ -163,28 +163,53 @@ class ca(LDAPObject):
 
 
 def set_certificate_attrs(entry, options, want_cert=True):
+    """
+    Set certificate attributes into the entry.  Depending on
+    options, this may contact Dogtag to retrieve certificate or
+    chain.  If the retrieval fails with 404 (which can occur under
+    normal operation due to lightweight CA key replication delay),
+    return a message object that should be set in the response.
+
+    """
     try:
         ca_id = entry['ipacaid'][0]
     except KeyError:
-        return
+        return None
     full = options.get('all', False)
     want_chain = options.get('chain', False)
 
     want_data = want_cert or want_chain or full
     if not want_data:
-        return
+        return None
+
+    msg = None
 
     with api.Backend.ra_lightweight_ca as ca_api:
         if want_cert or full:
-            der = ca_api.read_ca_cert(ca_id)
-            entry['certificate'] = base64.b64encode(der).decode('ascii')
+            try:
+                der = ca_api.read_ca_cert(ca_id)
+                entry['certificate'] = base64.b64encode(der).decode('ascii')
+            except errors.HTTPRequestError as e:
+                if e.status == 404:  # pylint: disable=no-member
+                    msg = messages.LightweightCACertificateNotAvailable(
+                        ca=entry['cn'][0])
+                else:
+                    raise e
 
         if want_chain or full:
-            pkcs7_der = ca_api.read_ca_chain(ca_id)
-            certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER)
-            ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs]
-            entry['certificate_chain'] = ders
+            try:
+                pkcs7_der = ca_api.read_ca_chain(ca_id)
+                certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER)
+                ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs]
+                entry['certificate_chain'] = ders
+            except errors.HTTPRequestError as e:
+                if e.status == 404:  # pylint: disable=no-member
+                    msg = messages.LightweightCACertificateNotAvailable(
+                        ca=entry['cn'][0])
+                else:
+                    raise e
 
+    return msg
 
 @register()
 class ca_find(LDAPSearch):
@@ -198,7 +223,9 @@ class ca_find(LDAPSearch):
         result = super(ca_find, self).execute(*keys, **options)
         if not options.get('pkey_only', False):
             for entry in result['result']:
-                set_certificate_attrs(entry, options, want_cert=False)
+                msg = set_certificate_attrs(entry, options, want_cert=False)
+                if msg:
+                    self.add_message(msg)
         return result
 
 
@@ -220,7 +247,9 @@ class ca_show(LDAPRetrieve):
     def execute(self, *keys, **options):
         ca_enabled_check(self.api)
         result = super(ca_show, self).execute(*keys, **options)
-        set_certificate_attrs(result['result'], options)
+        msg = set_certificate_attrs(result['result'], options)
+        if msg:
+            self.add_message(msg)
         return result
 
 
@@ -284,7 +313,9 @@ class ca_add(LDAPCreate):
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        set_certificate_attrs(entry_attrs, options)
+        msg = set_certificate_attrs(entry_attrs, options)
+        if msg:
+            self.add_message(msg)
         return dn