Jenkins SSL certificate from Windows AD CS

I am trying to configure Jenkins on Windows with a SLL certificate following these instructions. Instead of using a Digicert certificate, our IT administrator would like to generate a certificate using the Windows AD CS using the certificate snap-in of mmc. However we cannot figure out how to import the keytool generated csr certificate request into the certificate snap-in. If I use a certificate with a recreated certificate request in the mmc certificate store, the certificate is rejected with the following message:

keytool -importcert -alias jenkins -file "D:\Temp\jenkins\jenkins.pem" -keystore "D:\Temp\jenkins\jenkins.jks"
Enter keystore password:
keytool error: java.lang.Exception: Certificate reply does not contain public key for <jenkins>

Does anyone know how to create an SSL certificate from the Windows certificate store based on a java keytool created csr certificate request?

I was able to get Jenkins running with SSL and this is what I did.

On the Jenkins Master

1. In the Certificate Snap-in of mmc, navigate to Certificates (Local Computer) / Personal.

2. Right click Personal Folder and select All Tasks / Request New Certificate...

3. Confirm the next two Enrollment pages by clicking on Next.

4. Check a Webserver Active Directory Enrollment Policy.

5. A Warning Message shows below the Enrollment Policy

   More information is required to enroll for this certificate. Click here to configure settings.

   Click on it.

6. Fill out the Certificate Properties:
   Subject name: Common name: [the name of your jenkins server]
   Alternative name: DNS: [the name of your jenkins server]
   Alternative name: DNS: [the full name of your jenkins server including your domain]
   Confirm the page with OK and the following two pages.

7. Export the Certificate as PFX format
   Right click on certificate
   All Tasks / Export...

8. Check: Yes, export the private key
   Check Include all certificates in the certification path if possible
   Check: Export all extended properties
   Since we are exporting the private key, we must provide a password
   Check: Password and enter your password and password confirmation
   

9. Pick a path for your PFX certificate and finish the export.

10. Export the certificate one more time without a password in the Base-64 encoded X.509 (.CER) format.

11. Rename the resulting .CER file into .PEM.

12. Create a java key store on the Jenkins server with

    keytool -genkeypair -keysize 2048 -keyalg RSA -alias jenkins -keystore jenkins.jks
    

13. Answer the questions appropriate for your company and organisation.

14. Import the PFX certificate into the java keystore with

    keytool -importkeystore -srckeystore jenkins.pfx -srcstoretype pkcs12 -destkeystore jenkins.jks -deststoretype JKS
    

15. Copy the jenkins.jks to secrets directory where Jenkins is installed (in my case C:\Program Files (x86)\Jenkins\secrets).

16. Add the certificate to the Jenkins startup parameters:

     -Djavax.net.ssl.trustStore=%JENKINS_HOME%\secrets\jenkins.jks
     -Djavax.net.ssl.trustStorePassword=[your password for the java key store]
    

17. Restart the jenkins service

On the Jenkins Agent

18. Import the PEM certificate from above into the java keystore from the command line with administrator priviliges:

    keytool -import -alias jenkins -keystore "C:\Program Files (x86)\Java\jre1.8.0_161\lib\security\cacerts" -file [your pem file]
    

    Enter the password of the keystore (by default changeit)
    Trust this certificate? [no]: yes

19. Make sure your jenkins-slave.xml in %JENKINS_HOME% does not contain -noCheckCertificate in the arguments.

20. Restart the service jenkinsslave-D__Jenkins.