SSH host key/TLS host certificate fingerprint “…” does not match pattern “…”

You get these errors, when the SSH host key fingerprint provided to SessionOptions.SshHostKeyFingerprint or TLS host certificate provided to SessionOptions.TlsHostCertificateFingerprint have a wrong format.

Examples of the correct format of the fingerprints:

  • Base64-encoded SHA-256 SSH host key fingerprint:
    ssh-rsa 2048 2EPqmpSRaRtUIqwvm15rzavssrhHxJ3avJWh9mBaz8M=
  • Hex-encoded SHA-256 TLS host certificate fingerprint:

Easiest way to get the fingerprints in the correct format is to have WinSCP generate a code template in your preferred language for you. For other options, see also Where do I get SSH host key fingerprint to authorize the server?

Also make sure you use the same version (ideally the latest) of WinSCP both for obtaining the fingerprint in WinSCP GUI and using the fingerprint in WinSCP .NET assembly. Older versions do not support modern SHA-256 fingerprints. So the fingerprint formats may be incompatible (and less safe).

A common mistake is to substitute SessionOptions.TlsHostCertificateFingerprint with SessionOptions.SshHostKeyFingerprint (or vice versa). The SSH host key is used with SSH-based protocols SFTP and FTP. The TLS host certificate is used with SSL-based protocols FTPS and WebDAVS.

Last modified: by martin