Regenerate the SAML certificate
By default, the SAML certificate expires every 824 days. Regenerate the certificate when it is nearing or past expiration.
To check the expiry date of your current certificate, run this command on your
primary
server:
/opt/puppetlabs/puppet/bin/openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/saml-cert.pem -noout -startdate -enddate
To generate a new SAML certificate, remove the existing certificate. After you remove the existing certificate, a new one is generated automatically on the next Puppet run.