Why is Windows 2012 R2 not trusting my self-signed certificate?

The error you are receiving is not that it is not a trusted root certificate, but that it is not able to verify up the chain to a trusted certificate. If any part of the chain is broken, untrusted, or missing, you will receive such an error. The error that I get with an untrusted, self-signed root is this: This CA root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store. But for you, it says it cannot verify up to a trusted root certificate. This may be that during the self-signing process, you may have told openssl to sign the certificate with a different root (not self-sign), or it may not have been set as a root CA. If it's the first, you must trust the root it was signed with instead. If it's the latter, it's a matter of setting a few properties in openssl.conf.

from what I can work out you need to add zmaster as a Trusted source CA since that's the issuing authority, WS2k12 is trying to verify the certificate against a host it knows nothing about. You're right in that the generation method isn't important but a verifiable source is. This has the effect you're experiencing: that WS2k12 isn't trusting a certificate just because it has a name of $Random_issuing_authority, it needs to be able to verify the certificate.