Short answer: I still don’t know as I haven’t looked at the code (or if it is even available.)
Even shorter answer: ec2-fingerprint-key
Why such an obvious post? Well, I spent far too much time trying to figure out how to match up the information returned by ec2-describe-keypairs with the files I had on disk. This would have been a two minute operation had Amazon saw fit to mention ec2-fingerprint-key in the “related operations” section of the documentation for ec2-describe-keypairs (or ec2-add-keypair, or ec2-delete-keypair.) I’ve submitted feedback to Amazon’s documentation people about this omission. I imagine most people, like myself, do not read the Amazon documentation cover to cover.
Perhaps this was me being too smart for my own good. Instead of browsing the API calls, I set about trying to figure out how private key fingerprints were calculated based on my knowledge of how they are calculated for public keys. I’m quite familiar with public key fingerprints from the use of SSH, primarily when using ssh-agent. I assumed that private key fingerprinting, while perhaps a bit more obscure, was commonplace. It turns out only Amazon does this and probably made up their own method. I did find one reference to how (sha1 of the DER of the private key), but my quick attempt at
openssl rsa -in test.key -outform DER -pubout | openssl sha1 -c
didn’t match. Since I have the whole public-key fingerprinting stuff swapped into my head, I think I’ll write a quick post about it.
by Loïc Minier
29 Mar 2011 at 17:25
So did I!
there are actually two types of keys:
– keys generated by Amazon (ec2-add-keypair): the fingerprint is the SHA1 of the private bits of the key; not the whole private key text, but the RSA private key’s “d” bits; the Jenkins EC2 plugin has code to compute this https://github.com/jenkinsci/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/EC2PrivateKey.java
– keys uploaded by the user (ec2-import-keypair): the fingerprint is MD5 based and derived from the public part of the keypair, but I didn’t find out how
Cheers,
by Dan
03 Oct 2012 at 08:32
That makes us three who spent too much time trying to figure it out…
If ~/.ssh/ec2/primary.pem is a key generated by EC2 itself:
openssl pkcs8 -in ~/.ssh/ec2/primary.pem -nocrypt -topk8 -outform DER | openssl sha1 -c
If ~/.ssh/ec2/primary.pem is a private key you generated yourself and from which you created a public key and imported that into EC2:
openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c
Credits for the first one go to: http://journal.soffritto.org/entry/231 the second one was just a bit more trial and error.
I’ll leave this here for any wary traveller happening across your post.
by Justin Riley
01 Nov 2013 at 12:31
For anyone interested here’s how to calculate the public and private RSA key fingerprints used by Amazon EC2 from Python:
https://gist.github.com/jtriley/7270594
This script is also usable as a command line client – move the file into your $PATH and make it executable and you can call it like so:
$ ec2-fingerprint /path/to/private-key.rsa
This gist was assembled using methods from StarCluster’s sshutils module.