I'd like to start by saying that I'm not sure how difficult or how feasible this would be, but a long time ago we (or at least I) thought having automatic SSL renewals pushed to GitHub would be extremely difficult and maybe not possible, but here we are!
By making an automated system where after generation the private key is automatically updated on puppet2, the `puppet-users` group can be eliminated, and mw-admins would be able to generate SSL certificates without the need of the extra group. It would also of course make the custom domain process easier.