• Upgrading vCenter Server Appliance 6.7 fails
• vCenter - /var/log/firstboot/firstbootStatus.json file contains:

• vCenter - /var/log/firstboot/vmidentity-firstboot.py_####_stdout.log file contains: 

• vCenter - /var/log/vmware/sso/vmware-sts-idmd.log file contains:
  
KeyUsage does not allow key encipherment
  
  Note: vCenter Server Appliance - each service will have it's own folder in the /var/log/vmware/ directory.
  
  

To collect a log bundle or review log files, refer to Collecting diagnostic information for VMware products

This issue occurs because vCenter Server 6.7 enforces the Key Encipherment parameter under Key Usages on SSL certificates imported into vCenter Server.

To resolve this issue, ensure that all imported certificates into vCenter Server contain the the Key Encipherment parameter under Key Usages.

For more details on:

• Certificate requirements, see Certificate Requirements for Different Solution Paths

Notes:

• The same similar symptom and the same logs when upgrading windows vCenter server 6.7 may occur. In this case, all certificates may have the key Encipherment parameter under Key Usages. 
• The issue here was due to a expired SSL certificate in the STS_INTERNAL_SSL_CERT store. Replaced this cert with the current MACHINE_SSL cert and key which will resolved this problem.

"Failed to check VMware STS. The SSL certificate of STS service cannot be verified" while upgrading VCSA from 6.5 to 6.7