Ahh, as i wasn't seeing the 495 and 496 codes in the logs, only 400 i had assumed that what i needed to re-map. Using 495 and 496 works wonderfully!
Thanks Igor.
2016/04/14 21:46:51 [info] 7#7: *1 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 142.22.213.199, server: server.jetstar.com, request: "GET / HTTP/1.1", host: "server.com"
172.23.203.199 - - [14/Apr/2016:21:46:51 +0000] "GET / HTTP/1.1" 403 168 "-" "curl/7.40.0" "-""/C=AU/ST=NSW/L=Sydney/O=ex NSI/OU=HQ/CN=Ramon's Key/emailAddress=ramon@server.com" "/C=AU/ST=NSW/O=NSI/OU=HQ/CN=Cert Authority/emailAddress=no-reply@server.co";"FAILED"