Short answer: I still don’t know as I haven’t looked at the code (or if it is even available.)

Even shorter answer: ec2-fingerprint-key

Why such an obvious post?  Well, I spent far too much time trying to figure out how to match up the information returned by ec2-describe-keypairs with the files I had on disk.  This would have been a two minute operation had Amazon saw fit to mention ec2-fingerprint-key in the “related operations” section of the documentation for ec2-describe-keypairs (or ec2-add-keypair, or ec2-delete-keypair.)  I’ve submitted feedback to Amazon’s documentation people about this omission.  I imagine most people, like myself, do not read the Amazon documentation cover to cover.

Perhaps this was me being too smart for my own good.  Instead of browsing the API calls, I set about trying to figure out how private key fingerprints were calculated based on my knowledge of how they are calculated for public keys.  I’m quite familiar with public key fingerprints from the use of SSH, primarily when using ssh-agent.  I assumed that private key fingerprinting, while perhaps a bit more obscure, was commonplace.  It turns out only Amazon does this and probably made up their own method.  I did find one reference to how (sha1 of the DER of the private key), but my quick attempt at

openssl rsa -in test.key -outform DER -pubout | openssl sha1 -c

didn’t match.  Since I have the whole public-key fingerprinting stuff swapped into my head, I think I’ll write a quick post about it.