Yes, all certificates signed by the Puppet Certification Authority have a validity period, including agent certificates, a master certificate, and a self-signed CA certificate, if it actually uses one. The expiration timestamp is set by adding a fixed offset (specified by the ca_ttl configuration ca_ttl ) to the date and time when the certificate is signed. By default, ttl is five years, which is long enough to cover the entire life of all machines in many organizations.
More problematic than the agent certificate expires, the CA certificate expires. If you allow this to happen without setting up a new CA certificate, then the wizard and the nodes subsequently reject each other's certificates, forcing you to manually configure new certificates for all of them.