As I understand it, Firefox's Certificate Manager does not have a mechanism or interface to distrust website or intermediary certificates, only built-in root certificates. Unfortunately, then, there is no way to block trust of the BlueCoat certificates in Firefox on any platform. The previously issued certificate might not be as big an issue as was originally thought: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/akOzSAMLf_k But then Symantec bought Blue Coat, so... http://www.theregister.co.uk/2016/06/14/symantec_blue_coat_analysis/

Re CNNIC, is there a new issue or did this take care of it: https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/