This issue occurs when attempting to upgrade an isolated workload domain's vCenter that needs to communicate with the management domain's vCenter, and the MGMT vCenter's certificate is replaced with one signed by a custom certificate authority. If the workload vCenter (isolated) does not have the corresponding root certificate in its trust store the connection fails.

VCF 5.2.2

1. Export the root CA that signed the management (MGMT) vCenter certificate.
2. Manually import this certificate into the workload vCenter’s trusted root certificates. This can be done either via the UI or API.
   (For detailed steps, refer to the following KB article: https://knowledge.broadcom.com/external/article/384966/steps-to-add-a-trusted-root-certificate.html)
   
   
3. Restart Services on the VI Domain's vCenter:
   SSH into the vCenter server, and run the following commands to restart vlcm service.
   service-control --stop vlcm
service-control --start vlcm