SSH Key Fingerprint Checker

Field	Value	Copy
{{ row.label }}	{{ row.value }}
No data

SSH key fingerprints are short identifiers that safely represent a public key. They let you compare what a server presents with what you trust, without exposing the key itself. The OpenSSH fingerprint format is a common reference in audits and inventory work, helping teams verify host identity during provisioning and routine checks.

You provide one public key line or an entry from a known_hosts or authorized_keys list. The output shows digest values plus parsed details such as key type, bit length or curve, and an optional comment. A human‑readable summary pairs with structured data so you can paste into tickets, playbooks, and asset records.

Picture a note that includes ssh‑ed25519, a long Base64 string, and a user tag. The SHA256 value becomes the anchor you compare across machines. If it changes, pause and confirm the source before continuing. Never paste a private key anywhere, and always verify through a trusted channel.

Use SHA‑256 for matching, keep MD5 for legacy listings, and enable SHA‑1 only when you must compare with older catalogs. The short preview is handy on screen, but copy the complete value when filing requests. Certificate tokens are recognized, and their fingerprint reflects the whole certificate rather than the inner raw key.

Technical Details:

The engine parses a single OpenSSH public key line, or applies heuristics to authorized_keys and known_hosts entries, to locate the key type token and Base64 payload. It decodes the SSH key blob, derives inner type, bit length or curve, and computes fingerprints over the raw blob. Digests include SHA‑256 (primary), MD5 (colon‑separated hex, optional uppercase), and optionally SHA‑1. Processing is deterministic for identical inputs and runs entirely in your browser.

Processing pipeline

Trim input and ignore extra non‑empty lines after the first.
Reject private key markers and unsupported formats.
Find a known key type token; choose strict or heuristic parsing.
Extract Base64, decode to bytes, and parse the SSH key blob.
Derive inner type, bits or curve, and collect warnings.
Hash the blob with SHA‑256; compute MD5; optionally compute SHA‑1.
Format outputs: OpenSSH SHA256, hex digests, and a summary line.
Expose a table plus JSON; enable copy and export actions.

Symbols & Units

Symbols and their meanings
Symbol	Meaning	Unit/Datatype	Source
k	Key type token (e.g., ssh‑ed25519, ssh‑rsa)	text	Input
b64	Base64 payload of the OpenSSH key	text	Input
L	Key blob length	bytes	Derived
n	RSA modulus bit length	bits	Derived
c	Curve name for ECDSA or security‑key types	text	Derived
SHA256_b64	Primary fingerprint in OpenSSH style	Base64 (no padding)	Derived
MD5_hex	Legacy fingerprint	hex pairs with colons	Derived

Supported key types

ssh‑ed25519; ssh‑rsa; ssh‑dss.
ecdsa‑sha2‑nistp256, ecdsa‑sha2‑nistp384, ecdsa‑sha2‑nistp521.
sk‑ecdsa‑sha2‑nistp256@openssh.com; sk‑ssh‑ed25519@openssh.com.
OpenSSH certificates: any *‑cert‑vNN@openssh.com token.

Units, precision & formatting

Hex digits are lowercase by default; optional uppercase for MD5.
MD5 is grouped as colon‑separated byte pairs.
SHA‑256 and SHA‑1 are Base64 without trailing = padding.
Bit lengths reflect parsed parameters (e.g., RSA modulus, ECDSA curve).
No rounding applies; outputs are exact digests of the key blob.

Validation & bounds extracted from code

Inputs, constraints, and error messages
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Public key or single line	text	1 char	—	OpenSSH type, then Base64, then optional comment	“Private keys are not accepted.”; “Enter a single OpenSSH public key line.”; “Could not find a supported key type in the line.”; “Missing Base64 key after type.”; “Invalid Base64 length.”; “Invalid Base64 key data.”; “Truncated key blob.”; “Truncated string in key blob.”; “WebCrypto is unavailable in this browser.”	ssh‑ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJ0vS6m... user@host
Include SHA‑1	boolean	—	—	Computes legacy SHA‑1 fingerprint in Base64	Default off	—
Uppercase MD5 hex	boolean	—	—	Shows MD5 hex in uppercase	Default off	—
Strict parsing	boolean	—	—	Only “type base64 [comment]”; else heuristics apply	Default off	—

I/O formats & encoding

Input and output formats
Input	Accepted Families	Output	Encoding/Precision	Rounding
OpenSSH public key line	OpenSSH token plus Base64 and optional comment	SHA‑256 (primary)	Base64 without padding as `SHA256:<value>`	Exact
authorized_keys / known_hosts entry	Heuristic token and payload extraction	MD5 (legacy)	Hex byte pairs with colons; optional uppercase	Exact
OpenSSH certificate token	`*‑cert‑vNN@openssh.com`	SHA‑1 (optional)	Base64 without padding as `SHA1:<value>`	Exact
File text	Loaded as UTF‑8 text and trimmed	JSON and CSV exports	UTF‑8 text with quoted fields	Exact

Performance & complexity

Parsing and hashing are O(n) in key blob length.
Memory usage scales linearly with input size.
Processing is synchronous per input; no streaming.
Clipboard and download actions are constant time for typical keys.

Diagnostics & determinism

Consistent output for identical inputs.
Warnings for short RSA, deprecated DSA, unexpected lengths, and certificates.
Errors for unsupported types, malformed Base64, and truncated blobs.
A summary line mirrors common command‑line styles for quick comparison.

Security considerations

Rejects private keys by design.
Digest display does not prove trust; verify out of band.
MD5 and SHA‑1 are legacy; prefer SHA‑256 for matching.

Worked example

Input: ssh‑ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJ0vS6m... user@host

Derived: type ED25519, bits 256, comment user@host.

Output: SHA256:<base64‑without‑padding>, MD5 as aa:bb:cc:…, plus a one‑line summary like 256 SHA256:<value> user@host (ED25519).

Assumptions & limitations

Heads‑up Only the first non‑empty line is processed; extra lines are ignored with a note.
Heuristics decide between plain, authorized_keys, and known_hosts forms.
RSA shorter than 2048 bits triggers a warning.
DSA keys are flagged as deprecated.
Certificates are fingerprinted as certificates, not as bare keys.
JSON preview trims the input echo to 4000 characters.
No file size cap is enforced; very large inputs may be slow.

Edge cases & error sources

Invalid Base64 length or characters.
Missing Base64 after a recognized type token.
Unrecognized or misspelled key type tokens.
Truncated SSH blob or string fields.
Unexpected Ed25519 byte length.
Certificate tokens with inner types that do not match the outer token.
Browsers without WebCrypto support cannot compute SHA digests.
Copying truncated on‑screen previews instead of full values.

Privacy & compliance

No data is transmitted or stored server‑side; all parsing and hashing happen locally in your browser.

Step‑by‑Step Guide:

Follow these steps to compute and export fingerprints from a single key line.

Paste a public key line or drop a text file.
Enable Strict parsing if the line is exactly “type base64 [comment]”.
Toggle Uppercase MD5 if you must match legacy displays.
Turn on Include SHA‑1 only for older inventories.
Copy values or export CSV/JSON for records.

Example: Paste an ssh‑rsa line; you’ll see SHA‑256, MD5, bit length, and any comment, plus a one‑line summary for quick comparison.

Reminder Never paste private keys; this checker rejects them by design.

FAQ:

Is my data stored?

No. Parsing and hashing occur entirely in your browser, and nothing is sent to any server or saved.

Use trusted devices for sensitive material.

Which key types are supported?

ed25519, RSA, DSA, ECDSA on NIST P‑256/P‑384/P‑521, two security‑key types, and OpenSSH certificates marked by *‑cert‑vNN@openssh.com.

What fingerprint formats are shown?

OpenSSH‑style SHA‑256 in Base64 without padding, MD5 as colon‑separated hex, and optional SHA‑1 in Base64.

How accurate are the results?

Fingerprints are exact digests of the key blob. The process is deterministic; identical inputs yield identical outputs.

Can I work without a network?

Once loaded, computation runs in your browser with no additional requests. Use a modern browser that supports WebCrypto.

Why is SHA‑1 off by default?

SHA‑1 exists for backward comparison only. Keep it off unless you must match older records.

What is the one‑line summary?

A compact line showing bits, the SHA‑256 value, an optional comment, and the pretty type in parentheses for quick side‑by‑side comparison.

Can I paste multiple lines?

Only the first non‑empty line is processed. Extra lines are ignored with a small notice.

Why is RSA flagged under 2048 bits?

Short RSA keys are weak by today’s standards. A warning helps you spot keys that should be rotated.

Troubleshooting:

“Private keys are not accepted.” — paste the public key line, not a private key block.
“Could not find a supported key type.” — check for a valid token like ssh‑ed25519.
“Missing Base64 after type.” — ensure the payload follows the type token.
“Invalid Base64 length.” — fix spacing or stray characters in the payload.
“Truncated key blob.” — confirm the key was copied fully.
MD5 mismatch — toggle uppercase to match legacy displays.
Empty output — verify that the first non‑empty line contains the key.

Blocked: “WebCrypto is unavailable in this browser.” Use a current browser that supports SubtleCrypto to compute SHA‑256 and SHA‑1.

Advanced Tips:

Prefer SHA‑256 when recording fingerprints in documentation and tickets.
Use strict parsing for clean inputs to catch formatting mistakes early.
Keep the full SHA‑256 value; previews are for on‑screen scanning only.
Treat MD5 as compatibility output for older inventories and devices.
Note that certificate fingerprints represent the certificate object, not just the embedded key.

Glossary:

Fingerprint: Short digest that identifies a public key.
OpenSSH: Popular SSH implementation and key format.
Public key: Shareable key used to verify signatures.
Key blob: Binary payload inside the OpenSSH line.
Base64: Text encoding for binary data; padding omitted here.
Hex: Base‑16 notation used for MD5 display.
SHA‑256: Modern hash function; primary fingerprint.
SHA‑1: Legacy hash function; optional output.
MD5: Legacy hash shown as colon‑separated hex.
Curve: Named group for ECDSA keys (e.g., P‑256).
known_hosts: List of server keys trusted by a client.