NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR10K00729
Applies to: NoMachine Server
Added on: 2013-10-28
Last update: 2020-07-09
How to verify the NoMachine server host fingerprint information

When you connect to a NoMachine host that you have not connected to before via NX protocol, the client prints a message asking if you want to continue to connect or not.

Connections by NX protocol

Message looks like:

The authenticity of host testdrive can't be established. The certificate fingerprint is: SHA256 Fingerprint=E0:61:D4:83:60:72:93:3D:20:94:DC:F3:01:09:57:12:94:32:AD:B9:84:4D:40:0A:66:74:64:2B:4B:64:F9:1B. Are you sure you want to continue connecting?

By accepting to continue, you accept the encryption key the server sent you.

If you want to get the fingerprint of the actual encryption key, you can check it on the server host: the NoMachine server host certificate is:

nx_host_rsa_key.crt

placed in the /etc/keys/host/ folder under the installation directory of NoMachine.
 

E.g. if the server is on a Linux host and openssl is installed,  you can run from a console the openssl command for Certificate Data Management and retrieve the fingerprint.

For example:

$ openssl x509 -noout -in /usr/NX/etc/keys/host/nx_host_rsa_key.crt -fingerprint -sha256
SHA256
Fingerprint=E0:61:D4:83:60:72:93:3D:20:94:DC:F3:01:09:57:12:94:32:AD:B9:84:4D:40:0A:66:74:64:2B:4B:64:F9:1B

or for older versions of NoMachine server (prior to v. 5.3.9) using the SHA-1 cryptografic hash algorithm to calculate fingerprint:

$ openssl x509 -noout -in /usr/NX/etc/keys/host/nx_host_rsa_key.crt -fingerprint
SHA1
Fingerprint=49:15:FB:CE:94:D1:84:ED:EF:7C:77:24:2C:E0:DD:A6:41:32:3D:D5
 

If NoMachine is instead on Windows, open PowerShell or CMD console and move to the NoMachine installation folder.
Then move to the etc\keys\host folder and execute the 'certutil' command on the nx_host_rsa_key.crt file:

certutil nx_host_rsa_key.crt  | findstr "Cert"

Output will be similar to:

X509 Certificate:
Certificate Extensions: 1
Root Certificate: Subject matches Issuer
Cert Hash(md5): 85861f38c0093ffb40686909e9f33493
Cert Hash(sha1): dfdbf9663168aaa9b1a2ad0a926ed84ca6d8e2c6
Cert Hash(sha256): 79708cb2779209f8079d423f07b24b33d549b69274a28b0f280dd959c26b3475
CertUtil: -dump command completed successfully.

Look for the ' Hash(sha256):' line to retrieve the fingerprint.

For older versions of NoMachine server (prior to v.5.3.9) using the SHA-1 cryptografic hash algorithm to calculate fingerprint:
right mouse click on the nx_host_rsa_key.crt file to open it and access the Details tab. Fingerprint is shown in the 'Thumbprint' field.


Connections by SSH protocol

Message looks like:

The authenticity of host testdrive can't be established. The RSA key fingerprint is: SHA256 B5 70 53 C3 3C F1 FB D9 AD CE EB CD 4C A3 1C FD EB B5 2F 3B 3E 60 60 90 F6 BA 82 4A 8C C9 DB 6F. Are you sure you want to continue connecting?

On a Linux host, you can check the fingerprint by means of this command:

$ LD_LIBRARY_PATH=/usr/NX/lib /usr/NX/bin/nxkeygen -f <path to ssh_host_public_key>

For example:
$ LD_LIBRARY_PATH=/usr/NX/lib /usr/NX/bin/nxkeygen -f /etc/ssh/ssh_host_rsa_key.pub