Usually Ambari server generates certs with 1 year validity. after an year all Agent would fail to communicate with Ambari-server. Agent and Server certs would be expired. below steps can be followed to replace/resolve the expired certs.
1. stop ambari-server
2. take a back of existing /var/lib/ambari-server/keys folder and empty it.
3. download the attached keys.zip file and copy it to /var/lib/ambari-server/ , your new folder structure should be like /var/lib/ambari-server/keys/ca.config,/var/lib/ambari-server/keys/db/, - basically this is a fresh keys folder ( this is what you get when you install ambari-server )
4. Take a back up of all the Agent certs located at /var/lib/ambari-agent/keys/ in all the hosts.
5. Delete all the files under /var/lib/ambari-agent/keys/ folder
6. restart ambari-server.
Note: ambari-server should create new certs under /var/lib/ambari-server/keys/ca.crt , /var/lib/ambari-server/keys/ca.key ....
7. restart ambari-agent
Note: ambari-agent should create new certs under /var/lib/ambari-server/keys/ folder
now you should see the successful heart beat from all the Agents.
Note: Please note that if SSL is enabled for Ambari UI then have to re-enable SSL step again as some of the certs were not part of the keys folder. or else those files can be copied to new keys folders.