Permissions for access to the new ADFS certificate have to be given to the ADFS service account.
With a new certificate selected for service signing, token decrypting, and token signing, a restart of ADFS resulted in the ADFS service not starting with event ID 7023 reported in the System event log.
This is fixed by giving the ADFS_SVC account (service account) permissions to read the certificate’s private key using the certificate management snap-in on the ADFS Server.
The section is accessed via the “Manage Private Keys” option in the context menu for the cert.