🔑 Public Key Fingerprint Generator – Verify & Compare Key Fingerprints
A public key fingerprint is a short, human-verifiable hash derived from a full cryptographic public key. Instead of comparing an entire 2048-bit RSA key or a 64-character Base64 blob, you compare a compact digest — making it practical to verify key authenticity at a glance or over the phone.
What Is a Key Fingerprint?
When you first connect to an SSH server, your client shows a fingerprint such as:
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (ED25519)This fingerprint is the SHA-256 hash of the server's public key wire bytes, encoded in Base64. Comparing this single string lets you confirm you are connecting to the correct server — not an impostor — without transmitting or comparing the full key.
Supported Input Formats
| Format | Header / Prefix | Common Use |
|---|---|---|
| OpenSSH | ssh-rsa, ssh-ed25519, ecdsa-sha2-* | SSH authorized_keys, known_hosts |
| PEM Public Key | -----BEGIN PUBLIC KEY----- | PKCS#8 / SPKI – TLS, JWT, APIs |
| Legacy RSA PEM | -----BEGIN RSA PUBLIC KEY----- | PKCS#1 – older OpenSSL output |
| X.509 Certificate | -----BEGIN CERTIFICATE----- | TLS certs, CA chains, code signing |
Hash Algorithms Explained
Recommended. 256-bit output (32 bytes, 64 hex chars). The current OpenSSH and TLS default. Shown with the SHA256: prefix in Base64 format by OpenSSH tools.
Extended security. 512-bit output (64 bytes, 128 hex chars). Provides a larger security margin than SHA-256 for use cases requiring maximum collision resistance.
Legacy. 160-bit output. Still supported for backward compatibility with older SSH clients and certificates, but should not be used for new deployments.
Deprecated. 128-bit output. Shown in 16 colon-separated byte pairs. Commonly used in older SSH configurations (VisualHostKey) and legacy PKI systems. Not suitable for security-critical comparisons.
SSH RandomArt Visualization
OpenSSH's RandomArt (also called the "drunken bishop" algorithm) converts the raw fingerprint bytes into a unique 17×9 ASCII grid. Each byte encodes four diagonal moves of an imaginary bishop on the board; the final position counts determine which character is drawn.
Enable VisualHostKey yes in your SSH config to see this diagram automatically on every new connection. Two different keys will almost never produce the same pattern, making visual mismatches instantly obvious.
Common Fingerprint Use Cases
- SSH host verification – Compare the fingerprint your client shows on first connect with the fingerprint published by your server administrator.
- PGP key signing parties – Exchange and verify PGP public key fingerprints before signing to build the web of trust.
- TLS certificate pinning – Pin the SHA-256 fingerprint of a leaf certificate or intermediate CA to prevent MITM attacks in mobile and desktop apps.
- Key rotation audits – Compare before/after fingerprints to confirm that a key was actually rotated and not accidentally reused.
- CI/CD and secrets management – Record key fingerprints in infrastructure-as-code to detect unauthorized key replacements during deployments.
X.509 Certificate Fingerprints
For PEM certificates the tool reports two distinct fingerprints:
- Certificate fingerprint – SHA-256 hash of the entire DER-encoded certificate. This is what browsers display in the certificate details pane and what
openssl x509 -fingerprintreports. - Public key (SPKI) fingerprint – SHA-256 hash of just the SubjectPublicKeyInfo DER bytes embedded in the certificate. This fingerprint stays the same even if the certificate is renewed with the same key pair, making it ideal for key pinning.
Output Formats
Fingerprints can be displayed in three formats depending on your use case:
AA:BB:CC:...– Colon-separated hex (standard SSH and TLS display)aabbcc...– Plain lowercase hex (machine-readable, database storage)SHA256:+DiY3w...– Base64 with algorithm prefix (OpenSSH default for SHA-256)