Secure Shell (SSH) Key Fingerprint Checker

Field	Value	Copy
{{ row.label }}	{{ row.value }}
No data

SSH public keys are structured identifiers for secure remote access and automation, and their fingerprints are compact signatures that help you confirm identity quickly. Many teams search for an ssh key fingerprint checker so they can compare what a server shows with what they hold.

Paste a single OpenSSH key line and read the summary with one glance. You get a modern fingerprint plus a hexadecimal digest and clear key details so matching a host or user becomes straightforward.

In a deployment workflow you might paste a server key copied from known_hosts or a public key from an authorized_keys entry and compare the short string shown on first connection. The same approach helps during audits when you want to verify stored keys against a registry.

Public keys identify key material and not account status, so a match confirms bytes and not trust. Keep inputs tidy and consistent for clean comparisons, and prefer current key types for long term safety. If you paste multiple lines only the first is processed and extra lines are ignored with a short note.

Technical Details:

Secure Shell (SSH) public keys are provided as a token that names the key family and a Base64 payload that encodes the key blob. The tool reads the payload, decodes the bytes, and reports digest summaries that are designed for fast human comparison.

The main computation forms a fingerprint from the decoded key bytes, not from the text line. It reports a Base64 summary of the SHA256 digest and a colon separated hexadecimal summary of the MD5 digest. When enabled, it also reports a Base64 summary of the SHA1 digest for legacy environments.

Results include the key family, a pretty type label, bit length or curve, and the original comment. Warnings highlight deprecated families, unusually small modulus sizes, certificate blobs, and type mismatches between the visible token and the inner blob.

Comparisons are valid for the exact bytes of the encoded key blob. They do not assert ownership or authorization and they do not test whether a private key exists for the public key.

Core processing pipeline

Trim input and keep the first non‑empty line.
Reject private key markers and PuTTY private key headers.
Parse line strictly or with heuristics to find type and Base64.
Decode Base64 to key blob bytes.
Compute SHA256 over the bytes and encode to Base64 without padding.
Compute MD5 over the bytes and render hex as colon pairs.
Optionally compute SHA1 and encode to Base64 without padding.
Parse blob fields to derive inner type, bits, and curve.
Assemble rows, warnings, and a compact ssh-keygen style line.

\begin{array}{lll} H_{256} & = & SHA256 (key bytes) \\ F_{OpenSSH} & = & "SHA256:" ∥ Base64 (H_{256}) ∖ "=" \\ F_{MD5} & = & hex (MD5 (key bytes)) \to aa:bb:… \end{array}

Symbols and sources used in the computation
Symbol	Meaning	Unit/Datatype	Source
key bytes	Decoded OpenSSH key blob	byte array	Derived
$H_{256}$	SHA256 digest of key bytes	32 bytes	Derived
$F_{OpenSSH}$	Displayed Base64 fingerprint without padding	string	Derived
$F_{MD5}$	Colon separated hexadecimal pairs	string	Derived
bits	Estimated key size or curve size	integer	Derived

Worked example

Input line: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJ0vS6m… user@host.

\begin{array}{lll} key bytes & = & Base64^{-1} (AAAAC3NzaC…) \\ F {OpenSSH}_{} & = & " SHA256: " ∥ Base64 (SHA256 (key bytes)) ∖ " = " \\ F {MD5}_{} & = & aa : bb : \dots \end{array}

Interpretation: the ED25519 label confirms family, the fingerprint strings allow side‑by‑side matching with what a host or agent reports.

Warning sources and their implications
Warning	Trigger	Implication
RSA key shorter than 2048 bits	RSA modulus bit length < 2048	Consider migrating to larger RSA or ED25519/ECDSA.
DSA keys are deprecated	Family token is `ssh-dss`	Expect rejection in many SSH builds.
OpenSSH certificate detected	Inner type ends with `-cert-v…@openssh.com`	Fingerprint reflects the certificate blob bytes.
Type token mismatch	Outer token differs from inner blob type	Line may be malformed or rewritten.
Unexpected Ed25519 key length	Public key byte length ≠ 32	Input likely truncated or corrupted.

Validation and bounds extracted from code

Input rules and error messages
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Public key line	string	1 char	—	Rejects private key headers	Private keys are not accepted.	ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA… user@host
Strict format	string	—	—	`type base64 [comment]`	Expected "type base64 [comment]".	—
Key type token	enum	—	—	Known OpenSSH families	Unsupported or unknown key type.	—
Base64 after type	string	1 char	—	Non‑empty	Missing Base64 key after type.	—
Base64 decoding	string	—	—	Padding added except length mod 4 = 1	Invalid Base64 key data.	—
Browser crypto	capability	—	—	WebCrypto required	WebCrypto is unavailable in this browser.	—

I/O formats and representations

Accepted inputs and produced outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
OpenSSH line	ED25519, RSA, DSA, ECDSA, SK‑ECDSA, SK‑ED25519, OpenSSH certificates	SHA256, MD5, optional SHA1; bits/curve; comment	Base64 (no padding) and hex with colons	Exact digests; no rounding
authorized_keys entry	Heuristic token discovery	As above	As above	—
known_hosts line	Host patterns and markers ignored	As above	As above	—

Units, precision, and rendering: digests are exact; SHA256 and SHA1 are reported without trailing = padding; MD5 can be uppercase on request; byte counts are integers.

Networking and storage behavior: processing is client‑only with no uploads; copy and download actions write to the local clipboard or files.

Diagnostics and determinism: the same input bytes always yield the same outputs; warnings are purely rule based.

Security considerations: never paste private keys; fingerprints prove byte identity only; MD5 is for compatibility and not for risk decisions.

Assumptions & limitations

Processes only the first non‑empty line; extra lines are ignored with a note.
Accepts only recognized OpenSSH key families and certificate forms.
Bits are derived from modulus or curve rules and may be unavailable for unknown blobs.
RSA keys shorter than 2048 bits trigger a warning.
DSA is marked deprecated and may be disabled in many environments.
SHA1 reporting is off by default and intended for legacy checks.
MD5 is compatibility output and not a security signal.
Requires a browser with WebCrypto support for SHA functions.

Edge cases & error sources

Private key blocks or PuTTY private keys are rejected immediately.
Missing Base64 token after the type produces a parse error.
Base64 length equal to 1 modulo 4 cannot be decoded safely.
Outer type that disagrees with inner blob type raises a mismatch warning.
OpenSSH certificate inputs compute the certificate blob fingerprint.
Ed25519 blobs not 32 bytes long trigger an unexpected length warning.
Host markers and hashed names in known_hosts are ignored during parse.
Very long comments display but do not affect computed digests.
Clipboard access may be blocked by user settings, preventing copy feedback.
Disabling WebCrypto prevents SHA outputs and stops processing.

Privacy & compliance: no data is transmitted or stored server‑side.

How‑to:

SSH public key fingerprints let you compare keys quickly and confirm what a host or agent presents.

Copy a single OpenSSH public key line.
Paste it into the input area and review the preview.
Toggle Strict parsing for exact type base64 [comment] format if needed.
Enable SHA1 only for legacy comparisons.
Use Uppercase MD5 if your reference uses uppercase.
Compare the fingerprint with what your target system shows.

Example: paste ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA… alice@work and match the shown SHA256:… with a server prompt.

Keep comments meaningful so you can recognize keys later.
Prefer ED25519 or ECDSA for new deployments when permitted.

FAQ:

Is my data stored?

No. All parsing and hashing occur in your browser and the page does not send inputs anywhere.

Never paste private keys.

Which key types are supported?

ED25519, RSA, DSA, ECDSA, security‑key variants, and OpenSSH certificate forms. Unknown families are rejected during parse.

Why is SHA1 optional?

It exists for compatibility with older systems. Leave it off unless you must compare against a legacy record.

Why does MD5 have colons?

The hex digest is grouped as byte pairs for readability. You can switch to uppercase if your reference uses it.

Can I paste known_hosts or authorized_keys lines?

Yes. Heuristics locate the key token and Base64 payload, ignoring host patterns or options that precede the key.

What does a “borderline” result mean?

Warnings highlight deprecated families or short RSA sizes. They suggest migration but do not block fingerprint comparison.

How do I validate a CSR?

This tool focuses on SSH public keys and fingerprints. Use a certificate utility to inspect certificate signing requests.

Does it work offline?

Yes after the page loads, since computation happens locally. Clipboard and file actions depend on your browser settings.

Troubleshooting:

“Private keys are not accepted.” Ensure you pasted a public key, not a private block.
“Unsupported or unknown key type.” Confirm the line starts with a recognized OpenSSH family.
“Missing Base64 key after type.” The Base64 token must follow the type.
“Invalid Base64 key data.” Remove stray characters and ensure padding is not corrupted.
No SHA outputs appear. Enable a browser with WebCrypto available.
Warnings show for DSA or short RSA. Replace the key with a current family or larger size.

If nothing appears, clear the input and paste a single line again. Multi‑line blocks are ignored beyond the first line.

Glossary:

SSH: Secure Shell protocol for remote access using key pairs.
OpenSSH key: Single line format with type, Base64 blob, and optional comment.
Fingerprint: Short digest string used to compare key identity.
SHA256: Modern hash function producing a 32 byte digest.
MD5: Message‑Digest Algorithm 5 rendered as colon separated hex pairs.
Key blob: Binary bytes decoded from the Base64 payload.
authorized_keys: Per user file listing allowed public keys with options.
known_hosts: Host key cache used to detect changes in server identity.