詳しくは

• https://devforums.apple.com/thread/183805?start=25&tstart=0

The issue in our particular case was that our account somehow had three distribution certificates set up, two of which that were already expired. Apple only allow two enterprise distribution certificates per account at any given time. The rep could not explain how or why our account managed to have three. Nonetheless, I removed the two expired certificates. After doing so, the 'App Store and Ad Hoc' option on the 'Add iOS Certificate' page was finally enabled under the 'Distribution' heading. This option was previously disabled because of the issue with having more than two certs. After this, I was able to create the new distribution profile which was successfully used to sign an app and deploy it wirelessly.

意図せず3つ以上でてしまうケースが有るらしい

So the rule here is that if you have two distribution, you will probably have to delete the older of the two so that you can create a new distribution certificate. Just be careful when revoking a distribution certificate because when you do so, it will prevent any application that is deployed using that certificate from being executed.

基本的には 2つまで Production (Distribution) Certificates は登録できるものの、2つ登録した場合はIn-House and Ad Hoc" の選択肢が Disabled になる。このため、どちらかを revoke する必要があるだろう。(revokeすると CI 環境などのビルドがコケる可能性があるので注意)

蛇足ですが revoke ボタンは確認画面がでずに revoke できちゃったような記憶があるので、全社的に CI を導入している場合などは revoke ボタンを興味本位で触らないほうがよいかもしれません。