Error: "The SSL certificate of STS service cannot be verified" and "KeyUsage does not allow key encipherment" appear during vCenter Server Appliance 6.7 Upgrade
searchcancel
Error: "The SSL certificate of STS service cannot be verified" and "KeyUsage does not allow key encipherment" appear during vCenter Server Appliance 6.7 Upgrade
This issue occurs because vCenter Server 6.7 enforces the Key Encipherment parameter under Key Usages on SSL certificates imported into vCenter Server.
Resolution
To resolve this issue, ensure that all imported certificates into vCenter Server contain the the Key Encipherment parameter under Key Usages.
The same similar symptom and the same logs when upgrading windows vCenter server 6.7 may occur. In this case, all certificates may have the key Encipherment parameter under Key Usages.
The issue here was due to a expired SSL certificate in the STS_INTERNAL_SSL_CERT store. Replaced this cert with the current MACHINE_SSL cert and key which will resolved this problem.