During upgrade from vCenter 6.7 to vCenter 7.0, Stage 2 fails with certificate-related error messages. Users will see two error dialogues:

• Primary error:

  Error    Error in appending hostname/ip [hostname] to Cert.
  Resolution: This is an unrecoverable error, please retry install.

• Secondary error showing the failed command:

  Error    An error occurred while invoking external command: 'Command: ['/usr/lib/vmware-vmca/bin/certool', '--server=[hostname]', '--genCIScert', '--privkey=/etc/certs/hvc/hvc.priv', '--cert=/etc/certs/hvc/hvc.crt', '--Name=hvc', '--FQDN=[hostname]']  Resolution: This is an unrecoverable error, please retry install. If you encounter this error again, please search for these symptoms in the VMware Knowledge Base for any known issues and possible resolutions.

The installer cannot proceed past this point and must be rolled back.

• Source: VMware vCenter Server 6.7 with external PSC
• Target: VMware vCenter Server 7.0

The error occurs because, often with an external PSC, the DCAdmins group is not a member of the CAAdmins group in vSphere SSO. This prevents proper certificate generation during the upgrade process, resulting in the access denied errors seen in the certool command.

1. Log into the vSphere Web Client as an administrator
   
   
2. Navigate to Administration > Single Sign On > Users and Groups
   
   
3. Select the Groups tab
   
   
4. Select the CAAdmins group
   
   
5. Click Add Member
   
   
6. Add the DCAdmins group as a member of CAAdmins
   
   
7. Retry the vCenter Server upgrade

• This issue can occur even if certificate pre-checks pass successfully
• The error messages may reference vpxd or solution user certificates
• Similar issues can occur if DCClients group is also not a member of CAAdmins
• vCenter upgrade to 6.7 fails with vpxd firstboot with error: "Failed to create data encipherment cert with hostname/ip"