While recreating expired hostname-management-ui and hostname-monitoring-management-ui DSA certificates as described in product documentation with an "i" (issuer) option, you may experience an error with dxcertgen command line tool.

Example:

dxcertgen -i "CN=GenCA,O=MgmtUI,C=AU" -D "hostname-management-ui" certs

C:\>dxcertgen -i "CN=GenCA,O=MgmtUI,C=AU" -D "hostname-management-ui" certs
Setting root certificate and public/private keys for signing...
! Exporting certificate 'dxcertgen' from C:\Program Files\CA\Directory\dxserver\config\ssld\javakeystores\cacerts...
! Root CA alias 'dxcertgen' found but has different issuer
! Cloning alias 'dxcertgen' as 'dxcertgen_bak' in C:\Program Files\CA\Directory\dxserver\config\ssld\javakeystores\cacerts...
Error: keytool error: java.lang.Exception: Alias <dxcertgen> references an entry type that is not a private key entry.
The -keycolne command only supports cloning of private key entries

Error: keytoolCloneAlias(dxcertgen, C:\Program Files\CA\Directory\dxserver\config\ssld\javakeystores\cacerts)
Error: setRootCertAndKeyPair() failed

dxcertgen certs failed.

Release : 14.1

Component : CA Directory

NOTE: On Linux, Directory home environment is defined with $DXHOME while on Windows it is defined with %DXHOME% so use accordingly.

This is due to the fact that somehow your 'cacerts' file (under DXHOME\config\ssld\javakeystores folder) got corrupted.

Solution would be to:

1) Backup the existing 'cacerts' and 'clientcerts' on the problem host.
2) Copy the same two files from one of the other existing Directory host over to this problem host (placing that in the same location).
3) Re-run the dxcertgen command as you did before and this time it should work successfully.