Failure when using a certificate with a private key in Password Server delegated trust


Using the PowerShell Module if you try to connect to a certificate that has a Private key you will see an error like below.

PS C:\Windows\system32> Connect-AuthAnvil -PwsDelegatedTrust -OrgId 1 -ServiceUrl -ServiceCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\ServiceCert.cer" -ClientCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\delegated_trust.pfx" -EmailAddress

WARNING: "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\delegated_trust.pfx" is not a valid file path. 
Connect-AuthAnvil : Cannot process argument transformation on parameter 'ClientCert'. Certificate "C:\Program
Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\delegated_trust.pfx" not found! 
At line:1 char:190 
+ ... r" -ClientCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellMo ... 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
+ CategoryInfo : InvalidData: (:) [Connect-AuthAnvil], ParameterBindingArgumentTransformationException 
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,ScorpionSoftware.AuthAnvil.PowerShellModule.Connect 

PS C:\Windows\system32>



The connections in PowerShell is failing because the certificate's private key is protected by a non-blank password.  The private keys for certificate files generated by Password Server itself always have blank passwords, while manually generated ones will typically require a non-blank one, and when specifying a PFX certificate by file-path, the module will always attempt to use a blank password.



To resolve this issue we need to configure the connection string with the Thumbprint of the certificate.

We can gather the Certificate Thumbprint by adding the Certificate to the Personal Store. Certificates stored in the Windows Certificate Store don't have passwords to protect their private keys. The following steps will walk you through the process of gathering the Thumbprint.


Step 1 Add the Certificate to your Personal Store.

Double click the Certificate 



This will launch the Import Wizard. If the certificates private key is protected by a password, then you need to specify that password.


Note: You can not change the certificate password here. To change the password here, you’d need to import it (specifying the current password), then export it via the MMC.  In the Certificate Export Wizard, you’d chose to include the private key, then you’d be prompted to specify a password.

Selecting Next will bring us to the option to select the Personal Store.



Selecting Next will allow us to complete the import and Finish.


This completes the process to of placing the Certificate in the Personal Store.


Step 2 Open MMC from the Start Menu.


Select File, Add/Remove Snap-in... then Certificates.



Choose My user account so that we can view the Personal Store. Select Add




We should now see "Certificates  - Current User" selected, Select OK



We will now be able to select the Personal Certificate Store 


Note: Your certificate should now be displayed as the above example in place of "third party".

Double click the Certificate, select Details. We will now be able to see the Thumbprint.


Note: When you copy the Thumbprint paste it in Notepad as Windows will add an extra space at the beginning and the end.


Using the Thumbprint we can now modify the connection string 

Connect-AuthAnvil -PwsDelegatedTrust -OrgId 1 -ServiceUrl -ServiceCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\ServiceCert.cer" -ClientCert "9d 51 66 76 a9 c0 85 84 06 eb 73 a8 e2 59 e9 4c 9f 66 87 1a" -emailaddress


At this point you should now be connected. 


PowerShell tip.

You can modify the "AuthAnvilPowerShellModule.dll.config" usually located in "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule" with the Certificate Path or the Thumbprint so that you do not have to re-enter it each time. 

<?xml version="1.0" encoding="utf-8"?>
<add key="TFA.ServiceUrl" value="" />
<add key="PWS.ServiceUrl" value="" />
<add key="PWS.ClientCert" value="9d 51 66 76 a9 c0 85 84 06 eb 73 a8 e2 59 e9 4c 9f 66 87 1a" />
<add key="PWS.ServiceCert" value="C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\ServiceCert.cer" />
<add key="SSO.ServiceUrl" value="" />


For information on how to use the PowerShell Module please see this Article.

For information on working with the Password Server and Delegated Trust please see this Article.



Password Server v2.5 and newer unless otherwise noted. 



If you have any questions or need some help, we would be happy to assist. Open a case at or send an email to

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section