The idea that the thing that needs the certificate, gets the certificate doesn't seem that perverse to me. The interface/port-bound httpd needs to known what domains it's serving, what certificates it's using.

Automating this is pure benefit to those that want it, and a non-issue to those who don't — just don't use it.