I am trying to implement the function performed by the command ssh-keygen -s ca_key -I <some name> -n <some principal> -V -start:+end ~/.ssh/id_rsa.pub in Go. Here is my code

    userPublicKey, _, _, _, err := ssh.ParseAuthorizedKey(userPublicKeyBytes)
    privPem, _ := pem.Decode(caPrivateKeyBytes)
    caPrivateKey, err := x509.ParsePKCS1PrivateKey(privPem.Bytes)

    signer, err := ssh.NewSignerFromKey(caPrivateKey)

    permissions := ssh.Permissions{
        CriticalOptions: map[string]string{},
        Extensions: map[string]string{ "permit-agent-forwarding": ""},
    }

    cert := ssh.Certificate{
        CertType: ssh.UserCert, Permissions: permissions, Key: userPublicKey,
    }

    err = cert.SignCert(rand.Reader, signer)
    log.Println(string(cert.Marshal()))

The result is a certificate (when marshalled) starts as expected, with ssh-rsa-cert-v01@openssh.com, but instead of the base64 encoded contents, I get weird symbols:

ssh-rsa-cert-v01@openssh.com -`"�3�c�u�u.�X��&S�_^)�u��:�jJ�Đz��'B��~�A��ŷ�
6հ�@���%T��� m�����*Erkq�y��Z����t&so1TTmCt��k��f���:�Lr�
tI`��>�%���!R��<�`M>��3���BhR�ٚ./�*Pk�#���Bd�,k���W+G�P���;��IQ
                                        6$�)�k#ㄆ�]G�"�tذ&Mh>(8���-򃶶�
...
...

What am I doing wrong?