Some API requests that involve copying files to or from a remote server require that you provide the SSH fingerprint for the remote server in the request body. The SSH fingerprint is derived from a host key on the remote server.

To connect via SSH, the NSX Manager and the remote server must have a host key type in common. If there are multiple host keys types in common, whichever one is preferred according to the HostKeyAlgorithm configuration on the NSX Manager is used.

Having the fingerprint for a remote server helps you confirm you are connecting to the correct server, protecting you from man-in-the-middle attacks. You can ask the administrator of the remote server if they can provide the SSH fingerprint of the server. Or you can connect to the remote server to find the fingerprint. Connecting to the server over console is more secure than over the network.

The following table lists what NSX Manager supports in order from more preferred to less preferred.
Table 1. NSX Manager Host Keys in Preferred Order
Host key types supported by NSX Manager Default Location of the Key
ECDSA (256 bit) /etc/ssh/
ED25519 /etc/ssh/


  1. Log in to the remote server as root.
    Logging in using a console is more secure than over the network.
  2. List the public key files in the /etc/ssh directory.
    $ ls -al /etc/ssh/*pub
    -rw-r--r-- 1 root root 601 Apr  8 18:10
    -rw-r--r-- 1 root root  93 Apr  8 18:10
    -rw-r--r-- 1 root root 393 Apr  8 18:10
  3. Compare the available keys to what NSX Manager supports.
    In this example, ED25519 is the only acceptable key.
  4. Get the fingerprint of the key.
    # awk '{print $2}' /etc/ssh/ | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64 | sed 's/.//44g' | awk '{print "SHA256:"$1}'