diff --git a/token/options.go b/token/options.go
index 6bdd0ff47..cf8b85979 100644
--- a/token/options.go
+++ b/token/options.go
@@ -16,6 +16,8 @@ import (
 
 	"github.com/pkg/errors"
 	nebula "github.com/slackhq/nebula/cert"
+	"golang.org/x/crypto/ssh"
+
 	"go.step.sm/crypto/fingerprint"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
@@ -105,16 +107,18 @@ func WithFingerprint(v any) Options {
 		switch vv := v.(type) {
 		case *x509.CertificateRequest:
 			data = vv.Raw
+		case ssh.PublicKey:
+			data = vv.Marshal()
 		default:
 			return fmt.Errorf("unsupported fingerprint for %T", v)
 		}
 
-		kid, err := fingerprint.New(data, crypto.SHA256, fingerprint.Base64RawURLFingerprint)
+		fp, err := fingerprint.New(data, crypto.SHA256, fingerprint.Base64RawURLFingerprint)
 		if err != nil {
 			return err
 		}
 		c.Set(ConfirmationClaim, map[string]string{
-			"x5rt#S256": kid,
+			"x5rt#S256": fp,
 		})
 		return nil
 	}
diff --git a/token/options_test.go b/token/options_test.go
index f25ab144a..5b7e209db 100644
--- a/token/options_test.go
+++ b/token/options_test.go
@@ -86,9 +86,9 @@ func TestOptions(t *testing.T) {
 		{"WithNebulaCurve25519Cert empty file fail", WithNebulaCert(emptyFile.Name(), nil), empty, true},
 		{"WithNebulaCurve25519Cert invalid content fail", WithNebulaCert(c25519CertFilename, nil), empty, true},
 		{"WithNebulaCurve25519Cert mismatching key fail", WithNebulaCert(c25519CertFilename, p256Signer), empty, true},
-		{"WithConfirmationFingerprint ok", WithConfirmationFingerprint("my-kid"), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "my-kid"}}}, false},
-		{"WithFingerprint csr ok", WithFingerprint(testCSR), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "ak6j6CwuZbd_mOQ-pNOUwhpmtSN0mY0xrLvaQL4J5l8"}}}, false},
-		{"WithFingerprint ssh ok", WithFingerprint(testSSH), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "hpTQOoB7fIRxTp-FhXCIm94mGBv7_dzr_5SxLn1Pnwk"}}}, false},
+		{"WithConfirmationFingerprint ok", WithConfirmationFingerprint("my-kid"), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"x5rt#S256": "my-kid"}}}, false},
+		{"WithFingerprint csr ok", WithFingerprint(testCSR), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"x5rt#S256": "ak6j6CwuZbd_mOQ-pNOUwhpmtSN0mY0xrLvaQL4J5l8"}}}, false},
+		{"WithFingerprint ssh ok", WithFingerprint(testSSH), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"x5rt#S256": "hpTQOoB7fIRxTp-FhXCIm94mGBv7_dzr_5SxLn1Pnwk"}}}, false},
 		{"WithFingerprint fail", WithFingerprint("unexpected type"), empty, true},
 	}