The Swift TLS certificates (signed by the Puppet CA) will expire on 14 April; they last 5 years.
They need renewing before then, a process which isn't in the swift docs, there is a manual process noted on wikitech.
I don't think the sometimes-mooted move to cfssl (T356412) would avoid the need for a manual rotation at some point in the future.