diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
index 2ad988180fc..625026cfecb 100644
--- a/cmd/boulder-wfe2/main.go
+++ b/cmd/boulder-wfe2/main.go
@@ -42,16 +42,19 @@ type Config struct {
 		TLSListenAddress string `validate:"omitempty,hostname_port"`
 
 		// Timeout is the per-request overall timeout. This should be slightly
-		// lower than the upstream's timeout when making requests to the WFE.
+		// lower than the upstream's timeout when making requests to this service.
 		Timeout config.Duration `validate:"-"`
 
+		// ShutdownStopTimeout determines the maximum amount of time to wait
+		// for extant request handlers to complete before exiting. It should be
+		// greater than Timeout.
+		ShutdownStopTimeout config.Duration
+
 		ServerCertificatePath string `validate:"required_with=TLSListenAddress"`
 		ServerKeyPath         string `validate:"required_with=TLSListenAddress"`
 
 		AllowOrigins []string
 
-		ShutdownStopTimeout config.Duration
-
 		SubscriberAgreementURL string
 
 		TLS cmd.TLSConfig
diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
index 4c14ead1e39..ec03eb05fc9 100644
--- a/cmd/ocsp-responder/main.go
+++ b/cmd/ocsp-responder/main.go
@@ -51,10 +51,15 @@ type Config struct {
 		// OCSP requests. This has a default value of ":80".
 		ListenAddress string `validate:"omitempty,hostname_port"`
 
-		// When to timeout a request. This should be slightly lower than the
-		// upstream's timeout when making request to ocsp-responder.
+		// Timeout is the per-request overall timeout. This should be slightly
+		// lower than the upstream's timeout when making requests to this service.
 		Timeout config.Duration `validate:"-"`
 
+		// ShutdownStopTimeout determines the maximum amount of time to wait
+		// for extant request handlers to complete before exiting. It should be
+		// greater than Timeout.
+		ShutdownStopTimeout config.Duration
+
 		// How often a response should be signed when using Redis/live-signing
 		// path. This has a default value of 60h.
 		LiveSigningPeriod config.Duration `validate:"-"`
@@ -80,8 +85,6 @@ type Config struct {
 		// 40 * 5 / 0.02 = 10,000 requests before the oldest request times out.
 		MaxSigningWaiters int `validate:"min=0"`
 
-		ShutdownStopTimeout config.Duration
-
 		RequiredSerialPrefixes []string `validate:"omitempty,dive,hexadecimal"`
 
 		Features features.Config
diff --git a/cmd/sfe/main.go b/cmd/sfe/main.go
index ebd06cac061..aeb8e8b9d22 100644
--- a/cmd/sfe/main.go
+++ b/cmd/sfe/main.go
@@ -25,11 +25,12 @@ type Config struct {
 		ListenAddress string `validate:"omitempty,hostname_port"`
 
 		// Timeout is the per-request overall timeout. This should be slightly
-		// lower than the upstream's timeout when making requests to the SFE.
+		// lower than the upstream's timeout when making requests to this service.
 		Timeout config.Duration `validate:"-"`
 
-		// ShutdownStopTimeout is the duration that the SFE will wait before
-		// shutting down any listening servers.
+		// ShutdownStopTimeout determines the maximum amount of time to wait
+		// for extant request handlers to complete before exiting. It should be
+		// greater than Timeout.
 		ShutdownStopTimeout config.Duration
 
 		TLS cmd.TLSConfig