diff --git a/manifests/config.pp b/manifests/config.pp
index 15079c495..d29be02af 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -74,6 +74,12 @@
   }
 
   if $foreman::manage_user {
+    if $foreman::puppet_ssldir in $foreman::server_ssl_key or $foreman::puppet_ssldir in $foreman::client_ssl_key {
+      $_user_groups = $foreman::user_groups + ['puppet']
+    } else {
+      $_user_groups = $foreman::user_groups
+    }
+
     group { $foreman::group:
       ensure => 'present',
     }
@@ -83,7 +89,7 @@
       comment => 'Foreman',
       home    => $foreman::app_root,
       gid     => $foreman::group,
-      groups  => $foreman::user_groups,
+      groups  => unique($_user_groups),
     }
   }
 
diff --git a/manifests/params.pp b/manifests/params.pp
index 4be4f2898..43f36bfec 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -24,7 +24,7 @@
   $manage_user       = true
   $user              = 'foreman'
   $group             = 'foreman'
-  $user_groups       = ['puppet']
+  $user_groups       = []
   $rails_env         = 'production'
   $version           = 'present'
   $plugin_version    = 'present'
diff --git a/spec/acceptance/hieradata/common.yaml b/spec/acceptance/hieradata/common.yaml
index 755070787..abe0c26fb 100644
--- a/spec/acceptance/hieradata/common.yaml
+++ b/spec/acceptance/hieradata/common.yaml
@@ -5,4 +5,6 @@ foreman::server_ssl_cert: /etc/foreman-certs/certificate.pem
 foreman::server_ssl_chain: /etc/foreman-certs/certificate.pem
 foreman::server_ssl_crl: ""
 foreman::server_ssl_key: /etc/foreman-certs/key.pem
-foreman::user_groups: []
+foreman::client_ssl_ca: /etc/foreman-certs/certificate.pem
+foreman::client_ssl_cert: /etc/foreman-certs/certificate.pem
+foreman::client_ssl_key: /etc/foreman-certs/key.pem
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
index 5d5c41839..c1588815e 100644
--- a/spec/classes/foreman_spec.rb
+++ b/spec/classes/foreman_spec.rb
@@ -409,6 +409,19 @@
           it { should_not contain_class('redis::instance') }
         end
       end
+
+      describe 'with non-Puppet SSL certificates' do
+        let(:params) do
+          super().merge(
+            server_ssl_key: '/etc/pki/localhost.key',
+            server_ssl_cert: '/etc/pki/localhost.crt',
+            client_ssl_key: '/etc/pki/localhost.key',
+            client_ssl_cert: '/etc/pki/localhost.crt',
+          )
+        end
+
+        it { should contain_user('foreman').with('groups' => []) }
+      end
     end
   end
 end