The EC2 plugin currently expects the EC2 keypair to be one that has been created using the CreateKeypair API call where the private key is generated by EC2 and returned to the client. EC2 also supports the ImportKeypair API call which lets the client import a public key in case they want to use a pre-existing private key.

If I specify the name of an imported keypair in a slave template, the EC2 plugin rejects that entry because it doesn't recognize the fingerprint. Curiously, EC2 uses a 16 byte long fingerprint to identify imported keys (the fingerprint is an MD5 sum of the DER public key), whereas created keypairs are identified using 20 byte long fingerprints (the SHA-1 of the DER private key).

I don't see any reason as to why Jenkins only supports one use case and not the other.