Securing SSL Keys (for production web application) with Puppet and Hiera

I'd like to know what is the best way to secure SSL keys and certificates for web applications. I am using the roles/profiles pattern. Here is the scenario:

• I have a web application. There is a Puppet module that sets up the application. This module also sets up the SSL keys and certs required for it to run. These files are committed in the same repo (which is insecure) under app/files directory and are then places at the right locations using file type.
• There is a profile manifest that puts the stack together for this application - install and setup apache, install and setup memcached, install php and setup the application using the above module.

Now the SSL keys and certs are checked in the same repo and that's probably not the best way to do it. I am considering using hiera-eyaml module and then put the encrypted version of these certs and keys in a hiera file.

I was just wondering if that's the way most of the people do this? Or are there better ways of handling this?

I currently use hiera-eyaml on projects. We use the PKCS encryption, give everyone the public key so that they can make modifications, and the private key only exists on the puppet master and a secure backup. It has just worked after we got it setup, everyone quickly got used to using the tooling to encrypt values.