Jin,
Yes, often denied keys will have the same name as an already-accepted minion. This is really the only reason a minion ends up in "denied", is if a minion of the same name was already accepted, but the keys don't match.
Currently, there's no way to delete one key without deleting both using `salt-key`. We should add such functionality, to just delete "denied" minions. Would you mind opening an issue for this feature?
That said, deleting these keys is still very easy. Just delete the key out of the /etc/salt/pki/master/minions_denied
Hope that helps.
--
Colton Myers
Platform Engineer, SaltStack
@basepi on Twitter/Github/IRC