After numerous days of testing, I can confirm that invalid keys are getting created when I use the process described here:
http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-keys/ I rolled out the Atomic ossec-client RPM to 10 clients. The clients keys get populated in the OSSEC server. After restarting the server, my logs are filled with ERROR 1213 (host x.x.x.x not allowed). When I delete the key and recreate it, it works. Note: When I run base64 -d and paste the base64 key, I get the same string in the client.keys file, but at the end is says: "base64: invalid input" That ^^ appears to be a problem.
