I'm an Agent for my company's Enterprise account and your issue is mainly as laid out above: the existence of two Enterprise certs. Where I'm slightly confused is why you have multiple folks working as your Agent. Apple has setup the Enterprise account & portal in such a way that there is to be one company-wide Agent that has complete control over that Enterprise Distribution certificate and it is paired with his/her CSR/private key. If you really want to do this properly you need to get a hold of the actual Agent in charge of the account and get him to export his private key used to sign the CSR & Distribution Cert so you can develop against it. If you're NOT the entity doing the final production builds for Enterprise deployment I would suggest better coordinating your efforts with the Agent as he may have a plan you're not aware of.

我是我公司企业帐户的代理，您的问题主要如上所述：存在两个企业证书。我有点困惑的地方是为什么你有多个人作为你的代理工作。Apple 以这样一种方式设置了企业帐户和门户，即有一个公司范围的代理可以完全控制该企业分发证书，并将其与他/她的 CSR/私钥配对。如果你真的想正确地做到这一点，你需要掌握负责帐户的实际代理，并让他导出用于签署 CSR 和分发证书的私钥，以便你可以针对它进行开发。如果您不是为企业部署进行最终生产构建的实体，我建议您更好地与代理协调您的工作，因为他可能为您制定了计划”

Regarding the multiple certificates Apple started doing that over a year ago so that you can smoothly cutover to a new Distribution Cert in your apps without scrambling to update all apps on the previously singular cert simultaneously.

关于多个证书，Apple 在一年前开始这样做，以便您可以在应用程序中顺利切换到新的分发证书，而无需争先恐后地同时更新以前单一证书上的所有应用程序。

Lastly one point to note is that while the certificate is good for 3 years your provisioning profile will still expire in 12 months time to make sure your client is scheduling their update & maintenance cadence appropriately.

最后要注意的一点是，虽然证书有效期为 3 年，但您的配置文件仍将在 12 个月后过期，以确保您的客户正确安排更新和维护节奏。

Feel free to shoot me any questions on this. Good luck!

请随时向我提出任何关于此的问题。祝你好运！

EDIT Enterprise OverviewDeveloper Roles

编辑 企业概述开发人员角色

The Agent role is meant for one person to act as a gatekeeper for that company. It's does create a problem for a large company pumping out multiple in-house apps but the control factor helps maintain a cohesive environment.

代理角色旨在让一个人充当该公司的看门人。这确实为大型公司推出多个内部应用程序带来了问题，但控制因素有助于维持有凝聚力的环境。

Where you're going to start getting into trouble is when your original cert is set to expire and you need to roll them over to the newer cert the other person who has Agent access created. He/she is going to have to either compile your code for you or export their private key out of keychain access so that you can use that newer Enterprise Dist Cert.

当您的原始证书设置为过期时，您将开始遇到麻烦，并且您需要将它们滚动到具有代理访问权限的其他人创建的较新证书。他/她将不得不为您编译代码或从钥匙串访问中导出他们的私钥，以便您可以使用较新的 Enterprise Dist Cert。

What should typically happen is an Agent creates the first cert and all in-house apps are signed to it. That cert may expire in 2016 as an example. The prov profiles will expire every year, though so each app needs to take an update at least every 12 months to refresh itself with a new prov profile. Fast fwd to the end of 2015 and you're staring down an expiring cert. You'd create the replacement cert, update the provisioning profiles for each active app with the new cert (expires in say 2019), then update each app with the new prov profile attached to the new cert before the 2016 cert goes stale.

通常应该发生的是代理创建第一个证书并且所有内部应用程序都签名到它。例如，该证书可能会在 2016 年到期。prov 配置文件每年都会过期，但因此每个应用程序至少需要每 12 个月更新一次，以使用新的 prov 配置文件刷新自己。快进到 2015 年底，您正盯着即将到期的证书。您将创建替换证书，使用新证书更新每个活动应用程序的配置文件（比如 2019 年到期），然后在 2016 年证书失效之前使用附加到新证书的新 prov 配置文件更新每个应用程序。

Make sense?

有道理？