diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
index f21d9d5b7..728fc0871 100644
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -77,6 +77,9 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t
 .B ca_port <port>
 Specifies the insecure CA end user port. The default is 8080.
 .TP
+.B certmonger_wait_timeout <seconds>
+The time to wait for a certmonger request to complete during installation. The default value is 300 seconds.
+.TP
 .B context <context>
 Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
 .TP
@@ -98,6 +101,9 @@ Specifies whether an IPA client should attempt to fall back and try other servic
 .B host <hostname>
 Specifies the local system hostname.
 .TP
+.B http_timeout <seconds>
+Timeout for HTTP blocking requests (e.g. connection). The default value is 30 seconds.
+.TP
 .B in_server <boolean>
 Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
 .TP
@@ -160,6 +166,9 @@ Specifies the name of the CA back end to use. The current options are \fBdogtag\
 .B realm <realm>
 Specifies the Kerberos realm.
 .TP
+.B replication_wait_timeout <seconds>
+The time to wait for a new entry to be replicated during replica installation. The default value is 300 seconds.
+.TP
 .B server <hostname>
 Specifies the IPA Server hostname.
 .TP
diff --git a/ipalib/constants.py b/ipalib/constants.py
index a415af611..947876f0e 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -173,6 +173,8 @@ DEFAULT_CONFIG = (
     ('http_timeout', 30),
     # How long to wait for an entry to appear on a replica
     ('replication_wait_timeout', 300),
+    # How long to wait for a certmonger request to finish
+    ('certmonger_wait_timeout', 300),
 
     # Web Application mount points
     ('mount_ipa', '/ipa/'),
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 8d4170cc0..4311e9317 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -326,7 +326,11 @@ def request_and_wait_for_cert(
 
     deadline = time.time() + resubmit_timeout
     while True:  # until success, timeout, or error
-        state = wait_for_request(req_id, api.env.replication_wait_timeout)
+        try:
+            state = wait_for_request(req_id, api.env.http_timeout)
+        except RuntimeError as e:
+            logger.debug("wait_for_request raised %s", e)
+            state = 'TIMEOUT'
         ca_error = get_request_value(req_id, 'ca-error')
         if state == 'MONITORING' and ca_error is None:
             # we got a winner, exiting
@@ -336,7 +340,7 @@ def request_and_wait_for_cert(
         logger.debug(
             "Cert request %s failed: %s (%s)", req_id, state, ca_error
         )
-        if state not in {'CA_REJECTED', 'CA_UNREACHABLE'}:
+        if state in {'CA_REJECTED', 'CA_UNREACHABLE'}:
             # probably unrecoverable error
             logger.debug("Giving up on cert request %s", req_id)
             break
@@ -344,8 +348,11 @@ def request_and_wait_for_cert(
             # no resubmit
             break
         elif time.time() > deadline:
-            logger.debug("Request %s reached resubmit dead line", req_id)
+            logger.debug("Request %s reached resubmit deadline", req_id)
             break
+        elif state == 'TIMEOUT':
+            logger.debug("%s not in final state, continue waiting", req_id)
+            time.sleep(10)
         else:
             # sleep and resubmit
             logger.debug("Sleep and resubmit cert request %s", req_id)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6f0a24f97..0d5fb71e4 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -874,7 +874,7 @@ class CAInstance(DogtagInstance):
                 pre_command='renew_ra_cert_pre',
                 post_command='renew_ra_cert',
                 storage="FILE",
-                resubmit_timeout=api.env.replication_wait_timeout
+                resubmit_timeout=api.env.certmonger_wait_timeout
             )
             self.__set_ra_cert_perms()
 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 361ff783d..22ee79bd1 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -663,7 +663,7 @@ class CertDB:
     def request_service_cert(self, nickname, principal, host,
                              resubmit_timeout=None):
         if resubmit_timeout is None:
-            resubmit_timeout = api.env.replication_wait_timeout
+            resubmit_timeout = api.env.certmonger_wait_timeout
         return certmonger.request_and_wait_for_cert(
             certpath=self.secdir,
             storage='NSSDB',
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 55e0839ae..d92176f67 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -872,7 +872,7 @@ class DsInstance(service.Service):
                     profile=dogtag.DEFAULT_PROFILE,
                     dns=[self.fqdn],
                     post_command=cmd,
-                    resubmit_timeout=api.env.replication_wait_timeout
+                    resubmit_timeout=api.env.certmonger_wait_timeout
                 )
             finally:
                 if prev_helper is not None:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index c1964b9f8..a0e888e3f 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -385,7 +385,7 @@ class HTTPInstance(service.Service):
                     post_command='restart_httpd',
                     storage='FILE',
                     passwd_fname=key_passwd_file,
-                    resubmit_timeout=api.env.replication_wait_timeout
+                    resubmit_timeout=api.env.certmonger_wait_timeout
                 )
             finally:
                 if prev_helper is not None:
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 437e469fa..823723c55 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -459,7 +459,7 @@ class KrbInstance(service.Service):
                 profile=KDC_PROFILE,
                 post_command='renew_kdc_cert',
                 perms=(0o644, 0o600),
-                resubmit_timeout=api.env.replication_wait_timeout
+                resubmit_timeout=api.env.certmonger_wait_timeout
             )
         except dbus.DBusException as e:
             # if the certificate is already tracked, ignore the error
diff --git a/pylint_plugins.py b/pylint_plugins.py
index 503121c4f..0cd854f79 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -432,6 +432,7 @@ AstroidBuilder(MANAGER).string_build(textwrap.dedent(
     api.env.ca_host = ''
     api.env.ca_install_port = None
     api.env.ca_port = 0
+    api.env.certmonger_wait_timeout = 0
     api.env.conf = ''  # object
     api.env.conf_default = ''  # object
     api.env.confdir = ''  # object