Error: teleport_user_ca.pub is not a certificate

I was following this https://gravitational.com/teleport/docs/openssh_teleport/

/usr/local/bin/tctl auth export --type=user > teleport_user_ca.pub
head teleport_user_ca.pub # cert-authority ssh-rsa AAAAB3Nxxx
# remove the `cert-authority`
vi teleport_user_ca.pub
head teleport_user_ca.pub # ssh-rsa AAAAB3
# validate
ssh-keygen -Lf teleport_user_ca.pub # "teleport_user_ca.pub:1 is not a certificate"

my teleport version

/usr/local/bin/tctl version
Teleport Enterprise v4.2.8git:v4.2.8-0-ga9015b33 go1.13.2

You use ssh-keygen to check teleport_user_ca.pub (it is added as TrustedUserCAKeys in /etc/ssh/sshd_config).
In this manual, the command

$ sudo ssh-keygen -L -f api.example.com-cert.pub

is used to check the key generated for the list of trusted servers.
You need to generate a certificate for the list of your trusted servers with command (for example)

$ tctl auth sign \
      --host=api.example.com,ssh.example.com,64.225.88.175,64.225.88.178 \
      --format=openssh --out ssh_known_hosts

you will get 2 files named ssh_known_hosts and ssh_known_hosts-cert.pub in the current directory.
Then check the contents of ssh_known_hosts-cert.pub.

$ sudo ssh-keygen -L -f ssh_known_hosts-cert.pub
3 Likes