Puppet encrypts connections using a self-signed OpenSSL based CA.
Usually a Puppet CA has a validity of 5 years. At initial Installation one can configure the ca_ttl setting:

puppet config set --section server ca_ttl 10y

Existing installations can extend the CA e.g. by using the following script which has been made public by Neeloy on Puppet Community Slack channel:

cd /etc/puppetlabs/puppet/ssl/ca
(openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl md5 ; openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl md5 )
# Generate new CSR
openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
# Sign
cat > extension.cnf << EOF
[CA_extensions]
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
EOF
cp ca_crt.pem ca_crt.pem.old
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
chown -R puppet: ./*
cd /etc/puppetlabs/puppet/ssl
cp -a ca/ca_crt.pem certs/ca.pem

Another solution is using the Puppet ca_extend Modul which uses tBolt tasks and plans to extend an existing CA.

Happy hacking and fun by continuing using Puppet.