From a technical point of view, it dosen't matter when you upgrade the keys (the current keys will continue to work). It's more the EULA which dictates it. Basically you have to ensure that you don't use the keys simultaneously. Usually you'd upgrade the keys at the time - or shortl before - you do the upgrade of vCenter Server and the hosts.
André