Go decentralized.
Instead of signing certificates, make ssh keys. Don’t give the keys to non-admins
You can use Git as your transport instead of subversion, and then you can branch for different machines/roles, and then version your changes, as well as allowing for… but you must know the DVCS spiel at this point.
It’s faster, and less finicky to set up. Add some commit hooks for sanity checking.
Now, at this point, you’ve replaced the puppetmaster, with its client-server model, with ssh and git, both of which scale better than the puppetmaster.
Now, there might be a need in your organization for hierarchy. No problem, just store the git repo containing the definitive branch somewhere safe.
Bonus:
git blame
will allow you to see who made a change.
http://bitfieldconsulting.com/scaling-puppet-with-distributed-version-control
https://www.braintreepayments.com/braintrust/decentralize-your-devops-with-masterless-puppet-and-supply-drop?