diff --git a/util/clissh/ssh.go b/util/clissh/ssh.go
index a6f32ce7115..b4f29212428 100644
--- a/util/clissh/ssh.go
+++ b/util/clissh/ssh.go
@@ -5,6 +5,7 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -28,6 +29,7 @@ const (
 	md5FingerprintLength          = 47 // inclusive of space between bytes
 	hexSha1FingerprintLength      = 59 // inclusive of space between bytes
 	base64Sha256FingerprintLength = 43
+	sha256FingerprintLength       = 64
 
 	DefaultKeepAliveInterval = 30 * time.Second
 )
@@ -331,9 +333,12 @@ func (c *SecureShell) terminalType() string {
 	return term
 }
 
-func base64Sha256Fingerprint(key ssh.PublicKey) string {
+func sha256Fingerprint(key ssh.PublicKey, encode bool) string {
 	sum := sha256.Sum256(key.Marshal())
-	return base64.RawStdEncoding.EncodeToString(sum[:])
+	if encode {
+		return base64.RawStdEncoding.EncodeToString(sum[:])
+	}
+	return hex.EncodeToString(sum[:])
 }
 
 func copyAndClose(wg *sync.WaitGroup, dest io.WriteCloser, src io.Reader) {
@@ -364,8 +369,10 @@ func fingerprintCallback(skipHostValidation bool, expectedFingerprint string) ss
 		var fingerprint string
 
 		switch len(expectedFingerprint) {
+		case sha256FingerprintLength:
+			fingerprint = sha256Fingerprint(key, false)
 		case base64Sha256FingerprintLength:
-			fingerprint = base64Sha256Fingerprint(key)
+			fingerprint = sha256Fingerprint(key, true)
 		case hexSha1FingerprintLength:
 			fingerprint = hexSha1Fingerprint(key)
 		case md5FingerprintLength:
diff --git a/util/clissh/ssh_test.go b/util/clissh/ssh_test.go
index 2451e2a39d0..9cef54c6bc5 100644
--- a/util/clissh/ssh_test.go
+++ b/util/clissh/ssh_test.go
@@ -253,6 +253,28 @@ var _ = Describe("CLI SSH", Serial, FlakeAttempts(9), func() {
 				})
 			})
 
+			Context("when the sha256 fingerprint matches", func() {
+				BeforeEach(func() {
+					sshEndpointFingerprint = "b29fe3acbba3ebaafecab2c350a65d254e6d773b789aafd469288d063a60afef"
+				})
+
+				It("does not return an error", func() {
+					Expect(callback("", addr, TestHostKey.PublicKey())).ToNot(HaveOccurred())
+				})
+			})
+
+			When("the SHA256 fingerprint does not match", func() {
+				BeforeEach(func() {
+					sshEndpointFingerprint = "0000000000000000000000000000000000000000000000000000000000000000"
+				})
+
+				It("returns an error'", func() {
+					err := callback("", addr, TestHostKey.PublicKey())
+					Expect(err).To(MatchError(MatchRegexp(`Host key verification failed\.`)))
+					Expect(err).To(MatchError(MatchRegexp("The fingerprint of the received key was \".*\"")))
+				})
+			})
+
 			When("the base64 SHA256 fingerprint does not match", func() {
 				BeforeEach(func() {
 					sshEndpointFingerprint = "0000000000000000000000000000000000000000000"