Taken from this ServerFault post: https://serverfault.com/questions/603982/why-does-my-openssh-key-fingerprint-not-match-the-aws-ec2-console-keypair-finger
Keys generated locally You can use OpenSSL, as demonstrated by Daniel on the AWS forums, to generate the fingerprint in the form used by AWS to show fingerprints for uploaded public keys (SSH2 MD5), like:
7a:58:3a:a3:df:ba:a3:09:be:b5:b4:0b:f5:5b:09:a0
They can be generated by extracting the public part from the private key and hashing it using:
openssl pkey -in id_rsa -pubout -outform DER | openssl md5 -c
Keys generated on AWS If the key fingerprint shown on the AWS console is longer then it was a private key generated on AWS, like:
ea:47:42:52:2c:25:43:76:65:f4:67:76:b9:70:b4:64:12:00:e4:5a
In this case you need to use the following command, also shown by Daniel on the AWS forums, to generate a sha1 hash based on the private key:
openssl pkcs8 -in aws_private.pem -nocrypt -topk8 -outform DER | openssl sha1 -c
on the downloaded AWS-generated private key/certificate file. It'll work on keys you converted to OpenSSH format too.