So a lot of times you may be feeding a certificate into a bespoke enterprise application. Some of them just load it into IIS and off you go, but some of them end up being Java platform crud where you need weird incantations just to import them at all. (And sometimes it's those same weird applications that also decide to opt you into HSTS...)