What is the difference between the Key Type "created by device" and "created by server" in the ClearPass OnBoard >> Provisioning Settings.
The option "created by device" will use SCEP to provision the EAP-TLS client certificate. The certificate signing request will be generated in the device and get it signed against OnBoard CA , so the private key is known only to the device. When you use the option"created by device", re-provisioning a client will generate new certificate every time.
When you select the option "created by server", the ClearPass server itself will generate and sign the EAP-TLS client certificate and install it on the device during the provisioning process. Re-provisioning a client will re-use the existing client certificate of the same user/device, if the existing certificate expiration is more than 25% of its lifetime.