As dveditz knows, my employer has deployed a MITM attack. Apparently it's lazy and stupid (this is hardly surprising). PKI is designed so that a server can revoke a certificate by roughly signing a serial number (with the issuing CA). Mozilla has embedded a number of these CA+serial number pairs in order to address stolen/broken certificates. As have Microsoft, Google and Opera. Normally, when you successfully visit an https site, you can retrieve its certificate by clicking an icon near the URL bar. For sites where NSS or Safe-browsing reject access, Firefox hasn't completed safely and securely connecting to the site, so the indicator doesn't expose the certificate. When trying to debug problems with bad certificates, it's helpful to be able to save and share the presented certificate (possibly for comparison). This isn't easy to do in Firefox today. It would be helpful if the _error_reused_issuer_and_serial error page allowed one to save the Certificate. In my case, I would have included it in my IT ticket (and when they visit the site and see a different certificate, they'd recognize that it's different). -- Please don't complain about how NSS handles serial numbers in this bug. Thank you.

We now have some diagnostic information on the error page that includes the certificates sent by the server. Bug 943937 would need to be implemented to make that work in this case.