Also, though cloudflare allows it specifically for this purpose, cnaming a naked domain isnt technically in spec for dns. Every device / browser ive tried deals with it just fine though. If you are a stickler for rules go with a www. subdomain.
[update]: i am guessing from the language on the "SSL encryption type" bullet:
"CloudFlare-issued or custom"
or custom must be what's required to host your own domain ssl cert?
They've already done as much checking for domain ownership as StartCom do, so they're free to issue you a certificate safely, especially as it will never leave their infrastructure.
BTW: they use certificates with multiple SANs, so many different domains in the same certificate (and without SNI). This allows to terminate SSL on a single box for many different domains/customers. If you look at certificates details, you will see many unrelated domains in the SAN list.
You can do this easily enough with a build/deploy script that sets the right headers in S3 metadata so that CloudFlare receives them with caching headers (Cache-Control, ETag, Expires, etc.)