The "ssl2796" in the name is a Cloud Flare tracking ID in the 136,535 root domains we found that use "standard" (not "universal") Cloud Flare certificates.
Every root domain also has a subdomain wildcard line (*.example.com), which we deleted to save space.
If so, it would make no difference whether the origin server has its own certificate.
Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.(Their "data centers" are typically a rack or two of equipment that Cloud Flare ships to a real data center, along with installation instructions.) We asked Cloud Flare to confirm that sniffing is possible at these so-called "data centers," but they didn't respond.