diff --git a/REFERENCE.md b/REFERENCE.md
index e0a8bd7..53e9b84 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -48,7 +48,9 @@ ssl::keys:
 The following parameters are available in the `ssl` class:
 
 * [`cert_source`](#cert_source)
+* [`group_name`](#group_name)
 * [`keys`](#keys)
+* [`manage_group`](#manage_group)
 * [`manage_ssl_dir`](#manage_ssl_dir)
 
 ##### <a name="cert_source"></a>`cert_source`
@@ -57,6 +59,15 @@ Data type: `String[1]`
 
 Where to find cert files with the file() function.
 
+##### <a name="group_name"></a>`group_name`
+
+Data type: `Optional[String[1]]`
+
+The name of the group used for the `key_dir` permission.
+The group will be realized if the catalog contains a group virtual resource where the title matches this parameter.
+
+Default value: `'ssl-cert'`
+
 ##### <a name="keys"></a>`keys`
 
 Data type: `Hash[String[1], String[1]]`
@@ -65,6 +76,14 @@ Private keys indexed by key names.
 
 Default value: `{}`
 
+##### <a name="manage_group"></a>`manage_group`
+
+Data type: `Boolean`
+
+Whether to manage attributes of the `group`.
+
+Default value: ``true``
+
 ##### <a name="manage_ssl_dir"></a>`manage_ssl_dir`
 
 Data type: `Boolean`
diff --git a/manifests/init.pp b/manifests/init.pp
index 8eca825..09bb96a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -22,15 +22,24 @@
 # @param [String[1]] cert_source
 #   Where to find cert files with the file() function.
 #
+# @param [Optional[String[1]]] group_name
+#   The name of the group used for the `key_dir` permission.
+#   The group will be realized if the catalog contains a group virtual resource where the title matches this parameter.
+#
 # @param [Hash[String[1], String[1]]] keys
 #   Private keys indexed by key names.
 #
+# @param [Boolean] manage_group
+#   Whether to manage attributes of the `group`.
+#
 # @param [Boolean] manage_ssl_dir
 #   Enable or disable a file resource for the ssl directory
 #
 class ssl (
   String[1]                  $cert_source,
+  Optional[String[1]]        $group_name     = 'ssl-cert',
   Hash[String[1], String[1]] $keys           = {},
+  Boolean                    $manage_group   = true,
   Boolean                    $manage_ssl_dir = true,
 ) {
   # This doesn't quite follow the params pattern. Unfortunately, we have code
@@ -60,14 +69,19 @@
     mode   => '0755',
   }
 
-  group { 'ssl-cert':
-    ensure => present,
+  if $manage_group {
+    @group { $group_name:
+      ensure => present,
+    }
   }
 
+  Group <| title == $group_name |>
+
   file { $key_dir:
-    ensure => directory,
-    owner  => 'root',
-    group  => 'ssl-cert',
-    mode   => '0750',
+    ensure  => directory,
+    owner   => 'root',
+    group   => $group_name,
+    mode    => '0750',
+    require => Group[$group_name],
   }
 }
diff --git a/spec/classes/ssl_spec.rb b/spec/classes/ssl_spec.rb
index 51b73a0..78a9254 100644
--- a/spec/classes/ssl_spec.rb
+++ b/spec/classes/ssl_spec.rb
@@ -23,6 +23,68 @@ def mock_file_function(return_value)
         }
       end
 
+      context 'with custom group_name' do
+        context 'managed by the module' do
+          let(:params) do
+            {
+              'cert_source'  => 'profile/ssl',
+              'group_name'   => 'custom-group',
+              'keys'         => {
+                'www.example.com' => 'some-private-key-data',
+              },
+            }
+          end
+
+          it { is_expected.to contain_group('custom-group') }
+
+          case os_facts[:os]['family']
+          when 'RedHat'
+            it { is_expected.to contain_file('/etc/pki/private').with_ensure('directory').with_group('custom-group') }
+          else
+            it { is_expected.to contain_file('/etc/ssl/private').with_ensure('directory').with_group('custom-group') }
+          end
+        end
+
+        context 'managed outside the module' do
+          let(:params) do
+            {
+              'cert_source'  => 'profile/ssl',
+              'group_name'   => 'custom-group',
+              'keys'         => {
+                'www.example.com' => 'some-private-key-data',
+              },
+              'manage_group' => false,
+            }
+          end
+
+          let(:pre_condition) { '@group { "custom-group": ensure => present, }' }
+
+          it { is_expected.to contain_group('custom-group') }
+
+          case os_facts[:os]['family']
+          when 'RedHat'
+            it { is_expected.to contain_file('/etc/pki/private').with_ensure('directory').with_group('custom-group') }
+          else
+            it { is_expected.to contain_file('/etc/ssl/private').with_ensure('directory').with_group('custom-group') }
+          end
+        end
+
+        context 'not declared in the catalog should fail' do
+          let(:params) do
+            {
+              'cert_source'  => 'profile/ssl',
+              'group_name'   => 'custom-group',
+              'keys'         => {
+                'www.example.com' => 'some-private-key-data',
+              },
+              'manage_group' => false,
+            }
+          end
+
+          it { is_expected.not_to compile }
+        end
+      end
+
       it { is_expected.to compile }
       it { is_expected.to contain_class('ssl::params') }
       it { is_expected.to contain_group('ssl-cert') }