"Error occurred while fetching vmca root cert:” error appears when the Certificate Management section is clicked.
This is due to a lack of "Certificate Authority" level permissions for the logged-in user.
The minimum permission needed to view the VMCA root certificate is "Certificate Authority > Create/Delete (below Admins priv)." This permission should be applied to a roll and the User/Group must be in the Global Permissions; The vCenter object-level permission will not suffice.
Note: This permission will grant the account(s) in question the ability to sign a CSR (Certificate Signing Request) presented to the VMCA but not allow you to renew, replace, or create a new CSR for the vCenter's "__MACHINE_CERT" certificate.