I have searched some state institutions web sites with ssllabs.com/ssltest and how well they have implemented SSL protocol. One of the most interesting thing is on ssltest they are all rated with F because they use not trusted certificate. Actually they are using a certificate issued by a state CA that is not included in browser as trusted root CA.
In this case user has to import a CA into browser (e.g. Firefox - I understand the risk and add the certificate).
I know this kind of manual adding the certificate to browser certificate store poses MITM-risk, but it is also not expected that state CA will be in browser certificate store.
In my humble opinion end-users should NEVER manually import certificate, because this is just risky and most of the end-users are not security experts to understand the risk. How do you think state CAs should act to stop this manually import madness?