My advise might not be the best but it's what worked for me when our master CA certificate expired. These are my raw notes from when I had to renew our puppetserver certificate. The original certificate was likely Puppet 4 and expired when running Puppet 6. I googled around and took some steps from various blog posts I found so most of this isn't my original ideas:
# Verify
cd /etc/puppetlabs/puppet/ssl/ca
( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl md5 ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl md5 )
# Generate new CSR
openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
# Sign
cat > extension.cnf << EOF
[CA_extensions]
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
EOF
cp ca_crt.pem ca_crt.pem.old
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
chown puppet: ./*
cd /etc/puppetlabs/puppet/ssl
cp -a ca/ca_crt.pem certs/ca.pem
# CLIENTS
/opt/puppetlabs/bin/puppet resource file /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent
/opt/puppetlabs/bin/puppet ssl download_cert
systemctl restart choria-server
For expired client certs, when that happens to me I will do "rm -rf /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet which will request new cert then sign the cert and run Puppet again. That process is rather tedious and not something I've automated really well but also not something I have had happen frequently as we don't tend to keep servers around for 5+ years.