When a certificate host key is used (instead of a simple host key), the fingerprint shown by ThinLinc is not the same as the fingerprint shown by OpenSSH. This can be very confusing for users and makes it difficult to verify that the correct key is used.
The reason for the difference is that OpenSSH does not generate the fingerprint from the certificate host key directly. For certificates it first converts them to a simple host key, and then shows the fingerprint of that.
This unfortunately means we need to know which key types are certificate, and what their internal structure looks like. It also means that two keys can have the same fingerprint, even if one is a certificate and one is a plain key.
This currently works again because we automatically downgrade certificate host keys right now (see bug 7643).
However if we want to properly support them in the future, then this bug needs to be fixed as well.