I've forwarded this bug upstream[1]; it seems obvious that the certificates need to be regenerated, but there are quite a few of them, and some of them have been expired for some time.
Upstream hasn't updated in a few years, which is a bit concerning, but puppetlabs software in general seems well-maintained; I've CC'd the relevant maintainers. This issue shouldn't be too difficult to fix, especially for people who actually know how to use openssl. [1]: https://github.com/puppetlabs/jvm-ssl-utils/issues/140
