I recently came across a situation where I needed to join Atlassian Jira and Confluence to a Synology Active Directory service 1 via a secure port (636). For this to work, the connection needed to be signed by an SSL certificate from a recognized certificate authority. However, the standard, free, method for assigning SSL certificates (in this case, LetsEncrypt) would not suffice since the certificate would need to persist for at least a year or more. This is of particular concern with applications for which updating certificate key stores will result in service downtime. Even in a situation where a certificate was purchased a vendor signed by a Certificate Authority, one would still want to lock it in for several years.