The place where this comes up is IMAP clients, like thunderbird, who get the certificate warning and are forced to accept the self-signed certificate that zimbra defaults to.
From a user training perspective, i'd rather not get the users used to hitting the accept button when those types of messages pop up.
Right now I ordered a cert for zimbra.mycompany.com from GeoTrust. It's a basic SSL webserver certificate. Installing on the MTA worked fine, but when trying to do the install to tomcat (zmcertinstall mailbox) things went very very wrong, and got the dreaded "firefox cannot communicate with zimbra.mycompany.com because we share no common encryption algorithms" message on the client side.