I’m in the same situation.
I tried to use a wildcard certificate for the web interface, but the proxy and puppet agent, who use SSL certificate to authenticate would fail with the wildcard.
The only way around that I found was to duplicate the 05-fireman-ssl.conf file, change the ServerName manually to the web wildcard domain, set the wildcard certificate, and use an internal domain that use the Puppet CA for the default configuration.
This is a dirty hack, as it create 2 passenger instance and which not always survive a new foreman-installer.