How to verify the private key I have matches AWS keypair?

My AWS instance says it is configured to use the only keypair I have on my account and it has a fingerprint in the format of:

3c:64:a7:85:53:3f:81:1c:24:5a:d2:6a:5b:76:47:da:f3:14:63:88

I have a key.pem file on my computer. How do I verify that this pem file matches up with the above key-pair fingerprint provided by AWS?

I have attempted the following: ssh-keygen -lf key.pem

That outputs something in this format: 2048 SHA256:TpL6i8y1uCd26IUVVc5UHFluP7GLKD/T3O1+K4Pc0qg no comment (RSA)

The encoding scheme is different, I am not able to tell if they are equivalent.

I am trying to debug why I am unable to ssh into my instance with this key, this is the first step I am trying.


There are two methods, depending on how you created your SSH key as described in Verifying Your Key Pair's Fingerprint in AWS docs.

Here is my SSH key fingerprint in the console:

EC2 Key Pairs Screenshot

And here is how to get the same fingerprint from the command line:

~ $ openssl rsa -in ~/.ssh/aws-sandpit.pem -pubout -outform DER | openssl md5 -c
writing RSA key
(stdin)= ae:ae:56:84:f9:72:c4:d1:0a:b8:e9:3b:ab:d4:a7:00

If that doesn't match try this:

~ $ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c

Hope that helps :)


Historically, ssh-keygen displayed fingerprints using a hex-encoded MD5 hash. More recently, OpenSSH added support for -- and changed the default to -- base64-encoded SHA-256.

You can add the option "-E md5" to use the old format, though it will now be prefixed with "MD5:".

$ ssh-keygen -lf id_ed25519
256 SHA256:4gU2OwTypjq8lE6CvwTUZYQ6gyRRqXvKsZt1yUAGC2s mnordhoff@jane (ED25519)

$ ssh-keygen -lf id_ed25519 -E md5
256 MD5:41:e3:9f:30:a7:92:66:70:18:18:7d:e7:cd:66:ba:1d mnordhoff@jane (ED25519)