One certificate can sign any number of provisioning profiles which are what you need to run the app on devices.
- Distribution Certificate: Program wide
- Provisioning Profile: Per app
You may have two active certificates at any given time. Normally you will only use one at a time and then transition to the second certificate before the first one expires.
Before I attempt to answer your questions...
How many apps do you have?
Which cert was used to generate profile D?
We only have 1 enterprise app. We have regenerated a provisioning profile to use a later distrib cert (expire in 2021), profile will expire next year.
I am unfamiliar with Revoke of cert on the developer.apple.com site. If one were to accidentally hit it, is there a prompt to ensure you know what you are doing?
And if you proceed, does it impact apps in the field that ref that revoked cert? Does the app when it has an internet connection check against this cert on the developer.apple.com site?
Likewise, if one uses automatic signing (which I don't for finer control) and it says Revoke an existing cert on the build machine - is it only limited to the build machine or does it revoke on the developer site, too?
Revoking an Enterprise Developer distribution certificate will cause all installed apps that have a distribution provisioning profile that used it to stop functioning. You are correct that the app must occasionally check with Apple's server to see if the certificate and profile are still valid (which is why Enterprise apps don't work well on devices without regular internet access). Apple doesn't say exactly how often that check is done.
If Xcode revokes a certificate, it will be revoked on the developer site.
I'm not sure what automatic signing does if you have 2 distribution certificates installed in your keychain. I haven't used it because I want to make sure I know what is being used to sign things. When I export an archive for Enterprise Distribution, I choose to manual signing and make sure I choose the correct certificate and profile.