Untrusted Cloudflare SSL Certificate

Your invalid certificate authority error is due to the fact that CloudFlare issued it, not because of how you were routing traffic. This is because you used a type of certificate meant only to secure communication between your origin server and CloudFlare's network. It is issued via what they call their "Origin Certificate Authority" explained here.

When you use CloudFlare's "Universal SSL", they will create a certificate from a legitimate Certificate Authority that is trusted by most browsers and they will serve your website's content from their servers using that real certificate.

Remember that for end-to-end TLS encryption you cannot use CloudFlare because they have access to your decrypted traffic after it arrives from your origin but before they re-encrypt it for their CDN. They are literally MITM'ing your encrypted traffic. That's acceptable if you are aware of it and choose to use it anyway, but you should know this is happening.

For a fuller explanation see this website describing the problem in greater detail. Not the prettiest looking site, but their technical arguments are irrefutable.

I found the answer here: https://support.cloudflare.com/hc/en-us/articles/200170566-Why-isn-t-SSL-working-for-my-site-

Your domain/sub-domain is not active on Cloudflare’s network

Cloudflare’s SSL will only be present for visitors to your website after you have validated the SSL certificates to your root or www DNS record by orange clouding these records in your dashboard. If the DNS record is grey clouded then the Cloudflare-issued SSL certificates will not be present.

Looks like I can't use the SSL certificate without routing the sub-domain's traffic through Cloudflare, which is undesirable in this case due to the increased latency. I did a quick test and this indeed resolved the SSL issue experienced.