I indeed propose to get rid of it because I’m with you: while I like DNS, I get those same hives you mention. It’s in the current codebase (added in fixes #2121, #2069 - restrict importers and ENC to puppetmasters and … · theforeman/foreman@358ec5a · GitHub) but not reachable in the default configuration.
This is a bit off topic, but code wise there is no dependency on Puppet’s CA stack. We’ve always used it because historically Foreman was only deployed in environments where it was already present, so it was convenient. However, there is no code that actually ties it to Puppet. It’s just standard PKI and if you provide the right files in the right places with the right permissions, you can use any CA. We’ve just never really documented it and that makes it tricky to get right. In Installation of 3.1 without Puppet fails - #4 by ekohl I did show what I think should work, but it doesn’t talk about permissions. In my experiments I made a foreman-certs group and used --foreman-user-groups foreman-certs --foreman-proxy-groups foreman-certs. Technically you can use Let’s Encrypt as well but for authentication I would be cautious since wildcard certificates do make it less secure (Foreman supports that, Foreman Proxy doesn’t)