This is just a report, maybe there is something to fix in the upgrade query.
I have a partner where the certificate changed when upgraded from 53 to 57.
I have 2 similar certificates from Edicom, one is called "Edicom EAS" and it's a root certificate, the other is called "edicom eas server".
One of my partner was using the "Edicom EAS" certificate before the upgrade, after the upgrade to 57 I received certificate errors when exchanging data, then I noticed that the Partner's certificate was now "edicom eas server".
This is just FYI.
the certificates are not assigned by their alias but by their fingerprint (SHA-1) hex string. The behavior might be strange if you have the same certificate 2 times in the internal keystore which was possible in older versions - nowadays it is not possible to import a key/certificate with a SHA1 fingerprint that already exists in the internal assignment.
Your change of certificate assignment might happen because the order might have changed and now the second certificate with the same fingerprint is returned on request.