These operate on the SubjectPublicKeyInfo of the certificate, which does change unless the private key is changed. This allows the fingerprint to stay constant even if the certificate is reissued. (The same fingerprint is also used by DANE)