Another option is to update the certificates manually before upgrade. See Deploying and using the SSL Certificate Automation Tool 5.5 (2057340) for instructions on using the SSL automation tool to accomplish this.
To re-generate a new default SSO Certificate, use the following steps. If using CA Signed Certificates, follow the process as per Implementing CA signed SSL certificates with vSphere 5.x (2034833):