After updating Exchange 2013/2016/2019 you might get an error when trying to open OWA or ECP. This happens because of an expired OAuth certificate.

Open Exchange Powershell and check if the certificate has expired:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

If the certificate has expired, create a new one (do not forget to change the domain name):

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “cn=Microsoft Exchange Server Auth Certificate” -FriendlyName “Microsoft Exchange Server Auth Certificate” -DomainName “

Set the new certificate for OAuth:

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig –PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

Restart the Exchange IIS App Pools:

Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

If you still get the error in OWA/ECP, you either have to wait a couple of hours (some people have reported that they had to wait for up to 6 hours) or change the time zone of the Exchange server to UTC (Universal Coordinated Time).