The CDN nodes don't have a separate ip for http only and for http+https, so if you try https, you're hitting a service that wasn't prepared for that. Same thing happens if you virtual host lots of http sites on a single IP with one https site: everything is fine as long as nobody tries to do https, but if they do try, they get the cert for the one site that is doing https.
The CDN's servers provide the encryption, so it would make sense that the certificate is in their name. You can't do the encryption on the origin server, because the CDN needs access to the data to be able to cache it.
I understand that point, I know you can't use the certificate on another domain by design. I'm just curious why you wouldn't issue a certificate to your CDN signed with your domain as well. It's something that bothers me about npr.org especially as it creates problems with their API for member stations wishing to go fully SSL.
But it completely breaks the certificate meaning. Imagine the bad guy giving you a fake certificate called: cdn.badguy.com and explaining that because the CDN does the encryption you can trust this domain...
