For the man pages under the URL, https://man.openbsd.org/ssh-keygen, the option -U states: -U When used in combination with -s, this option indicates that a CA key resides in a ssh-agent(1). See the CERTIFICATES section for more information. Under the CERTIFICATES section, https://man.openbsd.org/ssh-keygen#CERTIFICATES, it states: Similarly, it is possible for the CA key to be hosted in a ssh-agent(1). This is indicated by the -U flag and, again, the CA key must be identified by its public half. $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication. I have a use case in which having a Certificates Authority's private key loaded in the ssh-agent would be very beneficial (i.e. not having the private key unsecured), and then using it to sign ssh host certificates using "ssh-keygen -Us ca_key.pub -h -I key_id host_key.pub"
I believe I found that ssh-keygen was updated to include -U at version 7.6/7.6p1. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377
If I'm reading this correctly, you've figured this out already and were trying to use a feature added in a newer release of OpenSSH than the one you had at hand. As such, I'll close this bug. If I've misread the situation then please feel free to reopen.
close bugs that were resolved in OpenSSH 8.5 release cycle