Why did ADFS fail to start after updating the certificates?

PROBLEM: When a new certificate was selected for service signing, token decrypting, and token signing, a restart of ADFS resulted in the ADFS service not starting with event ID 7023 reported in the System event log.

SOLUTION: Fixed by giving the ADFS_SVC account (service account) permissions to read the certificate’s private key using the certificate management snap-in on the ADFS Server. That is accessed via the “Manage Private Keys” option in the context menu for the certificate: