If you're running a non-SYSTEM Hybrid Runbook worker and you replace your RunAs certificate, you may encounter a login failure with ClientCertificateCredential 'keyset does not exist'. To fix, you need to run the default Export-RunAsCertificateToHybridWorker script from here, and then export the cert, and re-import it into your service account's Personal store. Despite numerous pointers to just add the service account to the list of users allowed to access the private key in the SYSTEM store, this was the only fix I found.