To upgrade VCF to the latest version and to simplify future upgrades it is easy to set up an Offline web server depot and on that machine also setup the new VCF Download Tool (VCFDT).
I will try to describe how that is done utilizing a Photon OS 5.0 VM and the do-and-dont’s

To connect to an offline depot from SDDC Manager to upgrade to newer releases and in this case 9.0, you must use the VCF Download Tool to download the upgrade bundles to the computer hosting the depot. After the bundles are downloaded, SDDC Manager can access them to perform upgrades.

I have been following the two following links:

• Set Up an Offline Depot Web Server for VMware Cloud Foundation
• Download VMware Cloud Foundation 9.0 Upgrade Bundles to an Offline Depot

To be able to download VCF 9 Upgrade Bundles to an Offline Depot there are some steps that need to be in place:
Generate a Download Token
Log in to the Broadcom Support Portal and generate a download token to authorize bundle downloads.

Prepare the Offline Depot Server
Ensure the following requirements are met:

• VCF Download Tool: Download and install the latest version of the VCF Download Tool from the Broadcom Support Portal.
• Internet Access: The server must have internet connectivity

Prevent SSH Timeouts
Configure TCP keepalive settings in your SSH client to avoid socket timeouts during long-running operations with the VCF Download Tool.

Connect SDDC Manager to the Offline Depot
After setting up the server, connect SDDC Manager to the offline depot. Refer to the official guide: Connect SDDC Manager to a Depot for Accessing Bundles.

Setting up an Offline Depot Web Server

The OS is based on Photon OS 5.0 that can be downloaded here: link
The web server is based on Apache HTTP Server

Some requirements for the machine being setup:

• Operating System: A Linux or Windows virtual machine. For Linux, any distribution is supported (for example, CentOS, RHEL, Ubuntu). 
• Storage: A dedicated disk for storing offline depot content. Minimum recommended size: 1 TB. 
• Web Server and SSL: A web server to serve the offline depot content over HTTP/HTTPS. For HTTPS, the server must support TLSv1.2 and TLSv1.3. The choice of web server is flexible. For example: Apache HTTP Server, NGINX, and so on. 
• Networking and Access: The virtual machine must have a static IP address. DNS records for the offline depot server are recommended but not required. 
• User Access: A dedicated non-root user on the virtual machine. The user must have read/write access to the offline depot directory and appropriate permissions to run VCF Download Tool commands.

Create a new VM in vCenter with the following specs:

CPU	2 CPU(s)
Memory	8 GB
Hard disk 1	400 GB

Mount the Photon ISO and follow the onscreen. Once the os is configured and DNS and IP are correct log into the machine to start to configure Apache and VCFDT.

First upgrade the OS with the following commands:

tdnf update --assumeyes
reboot

Install Apache HTTP Server:
tdnf install httpd --assumeyes

Prepare SSL Certificates
Create a directory for the certificates:
mkdir /root/http-certificates

Generate a private key:
openssl genpkey -out /root/http-certificates/server.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Generate a Certificate Signing Request (CSR):
openssl req -new -key /root/http-certificates/server.key -out /root/http-certificates/request.csr

Submit the CSR to the Certificate Authority (CA), or generate a self-signed certificate.
Combine the signed certificate with intermediate and root certificates into a single server.crt file (PEM format), then copy it to the certificate directory:

Copy server.crt to /root/http-certificates/
cp server.crt /root/http-certificates/

Move the key and certificate to the Apache configuration directory:
mv /root/http-certificates/server.* /etc/httpd/conf/
chmod 0400 /etc/httpd/conf/server.key /etc/httpd/conf/server.crt
chown root:root /etc/httpd/conf/server.key /etc/httpd/conf/server.crt

Configure Apache
Edit /etc/httpd/conf/httpd.conf to configure Apache and set the ServerName and ServerAdmin and Enable necessary SSL modules

Run the following command to enable SSL modules:
sed -i 's|#LoadModule ssl_module|LoadModule ssl_module|' /etc/httpd/conf/httpd.conf
sed -i 's|#LoadModule socache_shmcb_module|LoadModule socache_shmcb_module|' /etc/httpd/conf/httpd.conf
sed -i 's|#Include conf/extra/httpd-ssl.conf|Include conf/extra/httpd-ssl.conf|' /etc/httpd/conf/httpd.conf

Configure Basic Authentication
htpasswd -c /etc/httpd/conf/.htpasswd <username>
chown apache /etc/httpd/conf/.htpasswd
chmod 0400 /etc/httpd/conf/.htpasswd
 
Edit /etc/httpd/conf/extra/httpd-ssl.conf to update the SSL configuration.
########################
<Directory /var/www/html/PROD/COMP>
# Basic Auth (VCF 4.x and 5.0)
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>
<Directory "/var/www/html/PROD/COMP/Compatibility/VxrailCompatibilityData.json">
# VxRail VVS Cookie Validation (VCF 5.0)
<If "%{HTTP:Cookie} == 'ngssosession=ngsso-token' ">
Require all granted
</If>
</Directory>
<Directory /var/www/html/PROD/vsan/hcl>
<If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' ">
Require all granted
</If>
</Directory>
# Those Alias statements are needed only for VCF 5.1.0.0.
Alias /products/v1/bundles/lastupdatedtime /var/www/html/PROD/vsan/hcl/lastupdatedtime.json
Alias /products/v1/bundles/all /var/www/html/PROD/vsan/hcl/all.json
# Needed only if UMDS downloads are presented
<Directory /var/www/html/umds-patch-store>
Require all granted
</Directory>
###################

Start and enable the Apache HTTP server.
httpd -t
systemctl start httpd
systemctl enable httpd

Open Required Ports in the Firewall
Edit /etc/systemd/scripts/ip4save
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
systemctl restart iptables

Remove the default Apache index file.
rm -f /var/www/html/index.html

Set ownership and permissions
Create user:
useradd -m -G sudo vcfuser
htpasswd -c /etc/httpd/conf/.htpasswd vcfuser

chown apache -R /var/www/html/
find /var/www/html -type d -exec chmod 0500 {} \;
find /var/www/html -type f -exec chmod 0400 {} \;

If you do not wish to do all of the above steps manually, here is a script that will do it for you interactively.

Rename it and Make it executable:
mv setup_apache_ssl.txt setup_apache_ssl.sh 
chmod +x setup_apache_ssl.sh 
sudo ./setup_apache_ssl.sh

VMware Cloud Foundation Download Tool VCFDT to Obtain Installation Binaries.

In order to download the latest updates and binaries to the offline repo you can use the tool called VMware Cloud Foundation Download Tool. We can use the VCF Download Tool to download bundles and ESX components to the offline depot which the SDDC Manager connected to the offline depot can access.

Copy the most recent version of the VMware Cloud Foundation Download Tool to a computer with internet access and extract it.
Then look in the /bin folder and we see a couple of tools:

lcm-bundle-transfer-util for downloading the SDDC Manager upgrade bundle.
vcf-download-tool for downloading remaining upgrade bundles for NSX, vCenter, vRA, VROPS etc.

We start with downloading the SDDC Manager upgrade bundle:
First create a text file with the Token created at Broadcom portal and then issue the below example command to start the job. It will start and download all available files for SDDC Manager.

./lcm-bundle-transfer-util --setUpOfflineDepot -sv 5.2.1.1 --offlineDepotRootDir /var/www/html/ --depotDownloadTokenFile /root/vcf-download-tool-9.0.0.0.24703747/bin/downloadtoken.txt --offlineDepotUrl https://offdepo.catbird.local

Next up we issue the below example command with the vcf-download-tool to start the job and download for the remaining available bundles for NSX, vCenter, vRA, vROPS etc.

./vcf-download-tool binaries download --vcf-version 9.0.0 --automated-install -d /var/www/html --depot-download-token-file /root/vcf-download-tool-9.0.0.0.24703747/bin/downloadtoken.txt

One this is done we can also setup the Update Manager Download Service (UMDS) to download the ESX components required to create an upgrade image in vSphere Lifecycle Manager:

./vcf-download-tool umds install
./vcf-download-tool umds run -S --patch-store /var/www/html/umds-patch-store
./vcf-download-tool umds run vmware-umds -S --add-entitlement-token "Token from BC"
./vcf-download-tool umds run vmware-umds -D

Connect SDDC Manager to the Offline Depot

We are now done with all the bundle download preparations so we can proceed to connect SDDC Manager to the offline repo.
first we need to add the offline repo certificate to SDDC Manager appliance so we ssh into the SDDC Manager and then change to root level access.

Import the offline depo web server certificate into SDDC Manager certificate store.
create the crt file and paste the certificate content into it.
I created my file on
vi /tmp/offdepo.crt

Also you need to grab the password for the certificate keystore by issuing the following command:

su
cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key

Copy the password and run below command pointing to the crt file
keytool -importcert -alias vcf_custom_depot -file /tmp/offdepot.crt -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store 

Restart all the SDDC Manager services.
/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Also good to import the CA root certificate into the SDDC Manager so that it trust the whole chain:
cat root.cer >> /etc/pki/tls/certs/ca-bundle.crt 

In the SDDC UI navigation pane, click Administration -> Depot Settings.
Connect SDDC Manager to the offline depot.

We are now ready proceed with the next step to Prepare VCF 9.0 Core Components for Upgrade