Our tests are done against SUTs which provide their newly made CA which issues both web-server and user (login) certificates. As such, we can not use JDK or Jenkins persistent cert db files to trust those.

Jenkins Certificate credentials can actually store certificates (not just user keys as commonly used), but http-request-plugin can not build the trust chain for such almost-self-signed certs.

It took me several days to track down what went wrong in the web of KeyStore and Cert processing implementations involved, but ultimately I've reproduced and fixed the issue - will post a PR shortly.

While I have locally made the test cases for this, they do not make much sense for the internet publication (involving private CA for temporary servers on LAN).