TL;DR
Yes, you can generate multiple different fingerprints from a single RSA public key using different hashing algorithms and formats. This isn’t a problem in itself, but it’s important to understand the differences when comparing keys or checking for consistency.
How to Generate Multiple RSA Key Fingerprints
- Understand Fingerprinting Basics
- A fingerprint is a short, unique representation of a longer piece of data (like an RSA public key). It’s used for quick comparison.
- Hashing algorithms create these fingerprints. Different algorithms produce different results even with the same input.
- Using OpenSSL
- MD5 Fingerprint: (Generally discouraged due to collision vulnerabilities)
openssl x509 -noout -fingerprint -md5 -in your_public_key.pem - SHA1 Fingerprint: (Also discouraged, but still sometimes seen)
openssl x509 -noout -fingerprint -sha1 -in your_public_key.pem - SHA256 Fingerprint: (Recommended – most common modern choice)
openssl x509 -noout -fingerprint -sha256 -in your_public_key.pem - SHA384 Fingerprint: (Good alternative to SHA256, provides a longer fingerprint)
openssl x509 -noout -fingerprint -sha384 -in your_public_key.pem - SHA512 Fingerprint: (Longest and most secure, but less common)
openssl x509 -noout -fingerprint -sha512 -in your_public_key.pem - Fingerprint Formats
- Colon-Hexadecimal: (Most Common) This is the standard format you’ll see in many tools and systems, like SSH keys.
Example:
AA:BB:CC:DD:EE:FF:01:23:45:67:89:AB:CD:EF:01:23 - Hexadecimal: A continuous string of hexadecimal characters.
Example:
AA BB CC DD EE FF 01 23 45 67 89 AB CD EF 01 23 - Comparing Fingerprints
- Algorithm Consistency: When comparing fingerprints, *always* ensure you’re using the same hashing algorithm (e.g., SHA256). Comparing a SHA1 fingerprint to a SHA256 fingerprint is meaningless.
- Format Consistency: Ensure the format is also consistent (colon-hexadecimal vs. hexadecimal).
- Practical Example – SSH Key Verification
- Generate Fingerprint Locally:
ssh-keygen -lf ~/.ssh/id_rsa.pub - Compare: Carefully compare the output of
ssh-keygenwith the fingerprint shown by the server during key addition. - Using Python (with cryptography library)
OpenSSL is a common tool for working with cryptography. Here’s how to generate various RSA key fingerprints:
When adding an SSH key to a server, you’ll typically get a fingerprint displayed. Verify this fingerprint matches the one generated by your local machine using OpenSSL (using SHA256 is best practice).
You can also generate fingerprints programmatically using Python:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
import binascii
def fingerprint(public_key):
hasher = hashes.SHA256()
hasher.update(public_key)
digest = hasher.finalize()
return binascii.hexlify(digest).decode('utf-8')
# Example (assuming you have the public key in bytes format):
public_key_bytes = b'...' # Replace with your actual public key data
sha256_fingerprint = fingerprint(public_key_bytes)
print(f"SHA256 Fingerprint: {sha256_fingerprint}")