Further investigation tells me this is a requirement.
The problem with this is the risk associated with giving users admin access to a production controller. Because of the complicated process of generating a certificate from the controller, I don't know many admins who are responsible for an intrastructure core controller that would feel comfortable with users performing this.
Just a note... don't expect a response. Thanks.