Error: is not a certificate

I was following this

/usr/local/bin/tctl auth export --type=user >
head # cert-authority ssh-rsa AAAAB3Nxxx
# remove the `cert-authority`
head # ssh-rsa AAAAB3
# validate
ssh-keygen -Lf # " is not a certificate"

my teleport version

/usr/local/bin/tctl version
Teleport Enterprise v4.2.8git:v4.2.8-0-ga9015b33 go1.13.2

You use ssh-keygen to check (it is added as TrustedUserCAKeys in /etc/ssh/sshd_config).
In this manual, the command

$ sudo ssh-keygen -L -f

is used to check the key generated for the list of trusted servers.
You need to generate a certificate for the list of your trusted servers with command (for example)

$ tctl auth sign \,,, \
      --format=openssh --out ssh_known_hosts

you will get 2 files named ssh_known_hosts and in the current directory.
Then check the contents of

$ sudo ssh-keygen -L -f