If your certificate authority has increased their key requirements to 2048 bit your CSR may be rejected when generated like so:

# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=CA/ST=ON/L=Toronto/O=Yourbusiness/OU=Yourdept/CN=mail.server.com"

Fortunately, the -keysize flag was added in Zimbra 6.x:

# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/C=CA/ST=ON/L=Toronto/O=Yourbusiness/OU=Yourdept/CN=mail.server.com"

http://bugzilla.zimbra.com/show_bug.cgi?id=36313