puppet ssl bootstrap and cert requests

[Bob Negri]

Does 'puppet ssl bootstrap' only result in a new certificate if the existing one is expired?

Currently we have a process that backs up the ssl directory, deletes it, and forces a puppet agent run:

puppet agent -t --tag=nosuchtag

The backing up and deleting of 'ssl' seems over kill but we are trying to renew our certificates monthly. Also, we insert a OTP into the car_attributes.yaml file, and it is rather short lived.

Thanks,

Bob