diff --git a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
index 78b095bde..459dbd457 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
@@ -29,6 +29,7 @@
 import com.cloudbees.plugins.credentials.Credentials;
 import com.cloudbees.plugins.credentials.CredentialsNameProvider;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.CredentialsStore;
 import com.cloudbees.plugins.credentials.SecretBytes;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
@@ -53,6 +54,7 @@
 import hudson.cli.UpdateJobCommand;
 import hudson.model.ItemGroup;
 import hudson.model.Job;
+import hudson.model.Node;
 import hudson.security.ACL;
 import hudson.util.Secret;
 import jenkins.model.Jenkins;
@@ -71,10 +73,12 @@
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.security.KeyStore;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
 
+import jenkins.security.MasterToSlaveCallable;
 import static hudson.cli.CLICommandInvoker.Matcher.failedWith;
 import static hudson.cli.CLICommandInvoker.Matcher.succeeded;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -353,6 +357,16 @@ public void fullSubmitOfUploadedKeystore() throws Exception {
         assertEquals(EXPECTED_DISPLAY_NAME, displayName);
     }
 
+    @Test
+    @Issue("JENKINS-70101")
+    public void useCertificateCredentialsImplOnAgent() throws Throwable {
+        Node node = r.createOnlineSlave();
+        SecretBytes uploadedKeystore = SecretBytes.fromBytes(Files.readAllBytes(p12.toPath()));
+        CertificateCredentialsImpl.UploadedKeyStoreSource storeSource = new CertificateCredentialsImpl.UploadedKeyStoreSource(null, uploadedKeystore);
+        CertificateCredentialsImpl credentials = new CertificateCredentialsImpl(CredentialsScope.GLOBAL, "my-credentials", "description", VALID_PASSWORD, storeSource);
+        assertEquals(EXPECTED_DISPLAY_NAME, node.getChannel().call(new ReadCertificateCredentialsOnAgent(credentials)));
+    }
+
     private String getValidP12_base64() throws Exception {
         return Base64.getEncoder().encodeToString(Files.readAllBytes(p12.toPath()));
     }
@@ -397,4 +411,16 @@ private CredentialsStore getFolderStore(Folder f) {
         return folderStore;
     }
 
+    private static class ReadCertificateCredentialsOnAgent extends MasterToSlaveCallable<String, Throwable> {
+        private final CertificateCredentialsImpl credentials;
+        public ReadCertificateCredentialsOnAgent(CertificateCredentialsImpl credentials) {
+            this.credentials = credentials;
+        }
+        @Override
+        public String call() throws Throwable {
+            KeyStore keyStore = credentials.getKeyStore();
+            // KeyStore is not Serializable, so we just return the DN.
+            return StandardCertificateCredentials.NameProvider.getSubjectDN(keyStore);
+        }
+    }
 }