The current UC root CA will expire in 2021. Since this key certificate is baked into jenkins.war, it needs a plenty of time to rotate. I think two years window would be sufficient, but since I looked, we might as well start now.
This would be an opportunity to upgrade the key used to sign it. Currently, the key strength is RSA/2048.
Beware of the export control restriction in JVM. I don't know if it's still in place, but if it is it places a limit to the key length we can use.