Why does ADFS fail to start after updating the certificates?

Permissions for access to the new ADFS certificate have to be given to the ADFS service account.

With a new certificate selected for service signing, token decrypting, and token signing, a restart of ADFS resulted in the ADFS service not starting with event ID 7023 reported in the System event log.

This is fixed by giving the ADFS_SVC account (service account) permissions to read the certificate’s private key using the certificate management snap-in on the ADFS Server.

The section is accessed via the “Manage Private Keys” option in the context menu for the cert.