Certificates in the chain are matched by name, and not key, and are probably not the correct certificates. This issue indicates that the system is configured with a higher minimum public key length than the default of 1024 bits. The Group Policy Object (GPO) policy most likely causes this issue.
To confirm the configured minimum public key length, check the
minRSAPubKeyBitLength setting in the following location in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config]
To determine if the requirements for what makes a signature trustworthy have been altered:
- Enable the CAPI2 Operational log:
- Start Event Viewer.
- Expand Application and Service logs, Microsoft, Windows, CAPI2.
- Right-click Operational and choose Enable.
- Try the ENS installation.
- After the installation failure, right-click the Operational log and choose Save all events.
- Disable the log, if needed.
- Review the log for failure events containing CERT_TRUST_HAS_WEAK_SIGNATURE. If you see CERT_TRUST_HAS_WEAK_SIGNATURE, the operating system requirements for what makes a signature trustworthy have probably been altered.