My client\'s iOS In-House provisioning profiles are about to expire in 2 weeks. So to renew them, I wanted to create a new In-House certificate. But when clicking \"Add\" th
I'm an Agent for my company's Enterprise account and your issue is mainly as laid out above: the existence of two Enterprise certs. Where I'm slightly confused is why you have multiple folks working as your Agent. Apple has setup the Enterprise account & portal in such a way that there is to be one company-wide Agent that has complete control over that Enterprise Distribution certificate and it is paired with his/her CSR/private key. If you really want to do this properly you need to get a hold of the actual Agent in charge of the account and get him to export his private key used to sign the CSR & Distribution Cert so you can develop against it. If you're NOT the entity doing the final production builds for Enterprise deployment I would suggest better coordinating your efforts with the Agent as he may have a plan you're not aware of.
Regarding the multiple certificates Apple started doing that over a year ago so that you can smoothly cutover to a new Distribution Cert in your apps without scrambling to update all apps on the previously singular cert simultaneously.
Lastly one point to note is that while the certificate is good for 3 years your provisioning profile will still expire in 12 months time to make sure your client is scheduling their update & maintenance cadence appropriately.
Feel free to shoot me any questions on this. Good luck!
EDIT Enterprise Overview Developer Roles
The Agent role is meant for one person to act as a gatekeeper for that company. It's does create a problem for a large company pumping out multiple in-house apps but the control factor helps maintain a cohesive environment.
Where you're going to start getting into trouble is when your original cert is set to expire and you need to roll them over to the newer cert the other person who has Agent access created. He/she is going to have to either compile your code for you or export their private key out of keychain access so that you can use that newer Enterprise Dist Cert.
What should typically happen is an Agent creates the first cert and all in-house apps are signed to it. That cert may expire in 2016 as an example. The prov profiles will expire every year, though so each app needs to take an update at least every 12 months to refresh itself with a new prov profile. Fast fwd to the end of 2015 and you're staring down an expiring cert. You'd create the replacement cert, update the provisioning profiles for each active app with the new cert (expires in say 2019), then update each app with the new prov profile attached to the new cert before the 2016 cert goes stale.
Make sense?