Hi Ryan,
Its a fair point you raise. The circumstances I have in mind specifically relate to handling wireless guests. Because my (internal) CA is the root CA for the network, all the devices that are “not guest”, i.e. are running EAP-TLS security, are provided with the correct certification through active directory and GPO. That works fine. However, when I attach a client as a guest, that doesn’t know about my internal CA, I get certificate errors (not unexpectedly). However, if I was to have an “authoritative” certificate derived from a chain from an external CA, through my internal CA on my Wireless Controller, the guest client would “know” of the external CA, and I wouldn’t have cert errors. (I think…please feel free to correct me if I’m wrong - it’s not unknown! 
It’s not critical, it’s just a matter of tidying the operation so it looks like the real thing in the lab.
Thanks
Jim