[update]: i am guessing from the language on the "SSL encryption type" bullet:
"CloudFlare-issued or custom"
or custom must be what's required to host your own domain ssl cert?
They've already done as much checking for domain ownership as StartCom do, so they're free to issue you a certificate safely, especially as it will never leave their infrastructure.
BTW: they use certificates with multiple SANs, so many different domains in the same certificate (and without SNI). This allows to terminate SSL on a single box for many different domains/customers. If you look at certificates details, you will see many unrelated domains in the SAN list.