Hi, i have a question related to fleet enrolment, when a new cert is generated, deployed to fleet and pushed the the agent, osquery was not able to access fleet, but when the cert was downloaded from fleet it worked, so why the cert changed? shouldn’t it be the same cert fleet and osquery using ?

I would use openssl to compare the two certs. I think Fleet tries to download the whole cert chain which can help with osquery's validation.