During initial configuration of the Puppet agent, the agent obtains a security certificate signed by an authority recognized by the master -- most often the master itself -- with which it will subsequently identify itself to the master. Does this certificate ever expire or require an update?
Yes, all certificates signed by the Puppet CA have an expiration date, including agents' certificates, the master's certificate, and the CA's own self-signed certificate if in fact it is using such. The expiration timestamp is set by adding a fixed offset (specified by the configuration setting ca_ttl) to the date & time at which the cert is signed. The default ttl is five years, which is long enough to cover the full service life of all machines in many organizations.
More problematic than an agent's certificate expiring is the CA cert expiring. If you let that happen without configuring a new CA cert then master and nodes will thereafter reject each others' certs, forcing you to manually configure new certs for all of them.