Generate SSH key fingerprints in both the legacy MD5 colon-hex form and the modern SHA256 base64 form, from cryptographically random bytes. Ideal for populating SSH key management screens and deployment config with realistic placeholders.
When you need fake fingerprints
SSH key fingerprints appear in a number of places in real infrastructure tooling, and building or testing that tooling requires realistic-looking placeholder data:
- SSH key management UI testing — screens that list registered SSH keys for users typically show the fingerprint alongside the key name and date added. Seeding a test database with realistic fingerprints lets you verify layout, truncation, copy buttons, and sorting without ever generating or exposing real keys.
- CI/CD and deployment config — pipeline configs,
known_hostsentries in test environments, and host verification stubs often require a fingerprint in the correct format. A fake one in the right format lets the pipeline reach the SSH parsing logic without requiring a live server. - Documentation and screenshots — help docs, onboarding flows, and product screenshots showing SSH key setup screens need realistic fingerprints. Using
SHA256:aaaabbbbcccc...looks obviously fake; a properly formatted random fingerprint reads authentically. - Developer tooling and fixture files — unit or integration tests for anything that parses, displays, or stores SSH fingerprints need correctly-formatted test inputs.
How it works
OpenSSH fingerprints a public key by hashing its blob and displaying the digest. Two display conventions exist:
MD5 16 bytes -> "MD5:" + colon-separated lowercase hex
SHA256 32 bytes -> "SHA256:" + unpadded base64
The tool draws the right number of random bytes from Web Crypto and renders them
in the chosen convention, including the modern habit of stripping the base64
= padding. The bytes are random, not a hash of any real key, so the result is
a safe stand-in.
Real SSH fingerprint format reference
For orientation, a real ssh-keygen -l output looks like this:
# Legacy MD5 (old OpenSSH):
2048 MD5:3d:a7:f8:6c:2b:0a:4e:7f:92:c1:ab:88:d3:02:ef:1c user@host (RSA)
# Modern SHA256 (current OpenSSH default):
256 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 user@host (ED25519)
The generated fingerprint matches the MD5:... or SHA256:... portion exactly. The bit-count prefix (2048 or 256) and the comment (user@host) are context you would add separately in your tooling.
Tips and notes
Match the format to your OpenSSH era: very old clients showed MD5 by default,
while current ones default to SHA256. ED25519 keys are 256 bits and always use
SHA256 in modern OpenSSH; RSA keys can be 2048 or 4096 bits but still display
a SHA256 fingerprint of the same length. The optional key-type label (RSA, ECDSA,
ED25519) is cosmetic — never add a generated fingerprint to known_hosts or
authorized_keys, since it authenticates nothing and adding it to a trust list would cause a connection failure.