diff --git a/src/main/java/hudson/remoting/Engine.java b/src/main/java/hudson/remoting/Engine.java
index 5bce0c15a..d42fa7d05 100644
--- a/src/main/java/hudson/remoting/Engine.java
+++ b/src/main/java/hudson/remoting/Engine.java
@@ -77,6 +77,7 @@
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
@@ -747,6 +748,7 @@ public void closeRead() throws IOException {
                     }
                 }
                 hudsonUrl = candidateUrls.get(0);
+                SSLContext sslContext = getSSLContext(candidateCertificates, disableHttpsCertValidation);
                 String wsUrl = hudsonUrl.toString().replaceFirst("^http", "ws");
                 WebSocketContainer container = ContainerProvider.getWebSocketContainer();
                 if (container instanceof ClientManager) {
@@ -777,7 +779,6 @@ public void closeRead() throws IOException {
                         }
                     }
 
-                    SSLContext sslContext = getSSLContext(candidateCertificates, disableHttpsCertValidation);
                     if (sslContext != null) {
                         SslEngineConfigurator sslEngineConfigurator = new SslEngineConfigurator(sslContext);
                         if (hostnameVerifier != null) {
@@ -786,7 +787,7 @@ public void closeRead() throws IOException {
                         client.getProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);
                     }
                 }
-                if (!succeedsWithRetries(this::pingSuccessful)) {
+                if (!succeedsWithRetries(() -> this.pingSuccessful(sslContext))) {
                     return;
                 }
                 if (!succeedsWithRetries(() -> {
@@ -842,12 +843,15 @@ private boolean succeedsWithRetries(java.util.concurrent.Callable<Boolean> condi
     @SuppressFBWarnings(
             value = {"URLCONNECTION_SSRF_FD"},
             justification = "url is provided by the user, and we are trying to connect to it")
-    private Boolean pingSuccessful() throws MalformedURLException {
+    private Boolean pingSuccessful(SSLContext sslContext) throws MalformedURLException {
         // Unlike JnlpAgentEndpointResolver, we do not use $jenkins/tcpSlaveAgentListener/, as that will be
         // a 404 if the TCP port is disabled.
         URL ping = new URL(hudsonUrl, "login");
         try {
             HttpURLConnection conn = (HttpURLConnection) ping.openConnection();
+            if (conn instanceof HttpsURLConnection httpsConn && sslContext != null) {
+                httpsConn.setSSLSocketFactory(sslContext.getSocketFactory());
+            }
             int status = conn.getResponseCode();
             conn.disconnect();
             if (status == 200) {
@@ -1273,6 +1277,7 @@ private static SSLContext getSSLContext(List<X509Certificate> x509Certificates,
             SSLContext ctx = SSLContext.getInstance("TLS");
             // now we have our custom socket factory
             ctx.init(null, trustManagerFactory.getTrustManagers(), null);
+            sslContext = ctx;
         }
         return sslContext;
     }