diff --git a/browser/actors/NetErrorChild.jsm b/browser/actors/NetErrorChild.jsm
index 8332b69c88c2..2c62918c84a4 100644
--- a/browser/actors/NetErrorChild.jsm
+++ b/browser/actors/NetErrorChild.jsm
@@ -39,8 +39,6 @@ const SEC_ERROR_UNKNOWN_ISSUER                     = SEC_ERROR_BASE + 13;
 const SEC_ERROR_UNTRUSTED_ISSUER                   = SEC_ERROR_BASE + 20;
 const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE         = SEC_ERROR_BASE + 30;
 const SEC_ERROR_CA_CERT_INVALID                    = SEC_ERROR_BASE + 36;
-const SEC_ERROR_OCSP_FUTURE_RESPONSE               = SEC_ERROR_BASE + 131;
-const SEC_ERROR_OCSP_OLD_RESPONSE                  = SEC_ERROR_BASE + 132;
 const SEC_ERROR_REUSED_ISSUER_AND_SERIAL           = SEC_ERROR_BASE + 138;
 const SEC_ERROR_OCSP_INVALID_SIGNING_CERT          = SEC_ERROR_BASE + 144;
 const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED  = SEC_ERROR_BASE + 176;
@@ -160,7 +158,7 @@ class NetErrorChild extends ActorChild {
         // This error code currently only exists for the Symantec distrust, we may need to adjust
         // it to fit other distrusts later.
         case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
-          msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_Symantec", [hostString], 1) + "\n";
+          msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Symantec1") + "\n";
           break;
         default:
           msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
@@ -178,7 +176,7 @@ class NetErrorChild extends ActorChild {
           if (newErrorPagesEnabled) {
             technicalInfo.textContent = "";
             let brandName = gBrandBundle.GetStringFromName("brandShortName");
-            msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix2", [brandName, hostString], 2) + " ";
+            msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix3", [brandName, hostString], 2) + " ";
             msgPrefix += gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
           } else {
             msgPrefix = gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
@@ -252,7 +250,7 @@ class NetErrorChild extends ActorChild {
           if (newErrorPagesEnabled) {
             technicalInfo.textContent = "";
             let brandName = gBrandBundle.GetStringFromName("brandShortName");
-            msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple2", [brandName, hostString], 2) + " ";
+            msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple3", [brandName, hostString], 2) + " ";
           } else {
             msg = gPipNSSBundle.GetStringFromName("certErrorMismatchMultiple") + "\n";
           }
@@ -269,7 +267,7 @@ class NetErrorChild extends ActorChild {
         if (newErrorPagesEnabled) {
           technicalInfo.textContent = "";
           let brandName = gBrandBundle.GetStringFromName("brandShortName");
-          msg = gPipNSSBundle.formatStringFromName("certErrorMismatch2", [brandName, hostString], 2) + " ";
+          msg = gPipNSSBundle.formatStringFromName("certErrorMismatch3", [brandName, hostString], 2) + " ";
         } else {
           msg = gPipNSSBundle.formatStringFromName("certErrorMismatch",
                                                      [hostString], 1);
@@ -398,7 +396,7 @@ class NetErrorChild extends ActorChild {
       // without replicating the complex logic from certverifier code.
       case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
         let description = gPipNSSBundle.formatStringFromName(
-          "certErrorSymantecDistrustDescription", [doc.location.hostname], 1);
+          "certErrorSymantecDistrustDescription1", [doc.location.hostname], 1);
         let descriptionContainer = doc.getElementById("errorShortDescText2");
         descriptionContainer.textContent = description;
 
@@ -421,8 +419,6 @@ class NetErrorChild extends ActorChild {
       // and is not before the build date.
       case SEC_ERROR_EXPIRED_CERTIFICATE:
       case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-      case SEC_ERROR_OCSP_FUTURE_RESPONSE:
-      case SEC_ERROR_OCSP_OLD_RESPONSE:
       case MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
       case MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
 
@@ -507,23 +503,39 @@ class NetErrorChild extends ActorChild {
           let textContainer = doc.getElementById("text-container");
           errorPageContainer.style.backgroundPosition = `left top calc(50vh - ${textContainer.clientHeight / 2}px)`;
         } else {
-            doc.getElementById("wrongSystemTime_systemDate2").textContent = systemDate;
-            let errDesc = doc.getElementById("ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
-            let sd = doc.getElementById("errorShortDescText2");
-            if (sd) {
-              // eslint-disable-next-line no-unsanitized/property
-              sd.innerHTML = errDesc.innerHTML;
-            }
-            if (es) {
-              // eslint-disable-next-line no-unsanitized/property
-              es.innerHTML = errWhatToDo.innerHTML;
-            }
-            if (est) {
-              // eslint-disable-next-line no-unsanitized/property
-              est.textContent = errWhatToDoTitle.textContent;
-              est.style.fontWeight = "bold";
-            }
-            updateContainerPosition();
+          doc.getElementById("wrongSystemTime_systemDate2").textContent = systemDate;
+
+          let errDesc = doc.getElementById("ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
+          let sd = doc.getElementById("errorShortDescText");
+          // eslint-disable-next-line no-unsanitized/property
+          sd.innerHTML = errDesc.innerHTML;
+
+          let span = sd.querySelector(".hostname");
+          span.textContent = doc.location.hostname;
+
+          // The secondary description mentions expired certificates explicitly
+          // and should only be shown if the certificate has actually expired
+          // instead of being not yet valid.
+          if (msg.data.code == SEC_ERROR_EXPIRED_CERTIFICATE) {
+            let {cssClass} = this.getParams(doc);
+            let stsSuffix = cssClass == "badStsCert" ? "_sts" : "";
+            let errDesc2 = doc.getElementById(
+              `ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE${stsSuffix}`);
+            let sd2 = doc.getElementById("errorShortDescText2");
+            // eslint-disable-next-line no-unsanitized/property
+            sd2.innerHTML = errDesc2.innerHTML;
+          }
+
+          if (es) {
+            // eslint-disable-next-line no-unsanitized/property
+            es.innerHTML = errWhatToDo.innerHTML;
+          }
+          if (est) {
+            // eslint-disable-next-line no-unsanitized/property
+            est.textContent = errWhatToDoTitle.textContent;
+            est.style.fontWeight = "bold";
+          }
+          updateContainerPosition();
         }
         break;
     }
diff --git a/browser/base/content/aboutNetError-new.xhtml b/browser/base/content/aboutNetError-new.xhtml
index ed526552ace7..dad22b59d017 100644
--- a/browser/base/content/aboutNetError-new.xhtml
+++ b/browser/base/content/aboutNetError-new.xhtml
@@ -94,6 +94,7 @@
         <div id="ed_nssFailure2">&nssFailure2.longDesc2;</div>
         <div id="ed_nssBadCert">&certerror.introPara2;</div>
         <div id="ed_nssBadCert_sts">&certerror.sts.introPara;</div>
+        <div id="ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.introPara;</div>
         <div id="ed_cspBlocked">&cspBlocked.longDesc;</div>
         <div id="ed_remoteXUL">&remoteXUL.longDesc;</div>
         <div id="ed_corruptedContentErrorv2">&corruptedContentErrorv2.longDesc;</div>
@@ -103,7 +104,8 @@
         <div id="ed_clockSkewError">&clockSkewError.longDesc;</div>
       </div>
       <div id="errorDescriptions2Container">
-          <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.secondPara;</div>
+          <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.secondPara2;</div>
+          <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE_sts">&certerror.expiredCert.sts.secondPara;</div>
       </div>
       <div id="whatCanYouDoAboutItTitleContainer">
         <div id="edd_nssBadCert"><strong>&certerror.whatCanYouDoAboutItTitle;</strong></div>
@@ -112,12 +114,9 @@
         <div id="es_nssBadCert_SEC_ERROR_UNKNOWN_ISSUER">&certerror.unknownIssuer.whatCanYouDoAboutIt;</div>
         <div id="es_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
-        <div id="es_nssBadCert_SEC_ERROR_OCSP_FUTURE_RESPONSE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
-        <div id="es_nssBadCert_SEC_ERROR_OCSP_OLD_RESPONSE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_SSL_ERROR_BAD_CERT_DOMAIN">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
-        <div id="es_nssBadCert_SEC_ERROR_OCSP_INVALID_SIGNING_CERT">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
       </div>
       <!-- Stores an alternative text for when we don't want to add "Recommended" to the
            return button. This is one of many l10n atrocities in this file and should be
diff --git a/browser/base/content/test/static/browser_misused_characters_in_strings.js b/browser/base/content/test/static/browser_misused_characters_in_strings.js
index 7c5374bf8fd1..1145af17ea9b 100644
--- a/browser/base/content/test/static/browser_misused_characters_in_strings.js
+++ b/browser/base/content/test/static/browser_misused_characters_in_strings.js
@@ -20,6 +20,10 @@ let gWhitelist = [{
     file: "netError.dtd",
     key: "certerror.sts.introPara",
     type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.expiredCert.introPara",
+    type: "single-quote",
   }, {
     file: "netError.dtd",
     key: "certerror.expiredCert.whatCanYouDoAboutIt2",
diff --git a/browser/locales/en-US/chrome/overrides/netError.dtd b/browser/locales/en-US/chrome/overrides/netError.dtd
index 00fc889ee4dc..cfb7ff7d0e0d 100644
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@@ -159,7 +159,9 @@ was trying to connect. -->
 <!ENTITY certerror.introPara2 "&brandShortName; detected a potential security threat and did not continue to <span class='hostname'/>. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.">
 <!ENTITY certerror.sts.introPara "&brandShortName; detected a potential security threat and did not continue to <span class='hostname'/> because this website requires a secure connection.">
 
-<!ENTITY certerror.expiredCert.secondPara "This issue is most likely because your computer clock is set to the wrong time, which would prevent &brandShortName; from connecting securely.">
+<!ENTITY certerror.expiredCert.introPara "&brandShortName; detected an issue and did not continue to <span class='hostname'/>. The website is either misconfigured or your computer clock is set to the wrong time.">
+<!ENTITY certerror.expiredCert.secondPara2 "It’s likely the website’s certificate is expired, which prevents &brandShortName; from connecting securely. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.">
+<!ENTITY certerror.expiredCert.sts.secondPara "It’s likely the website’s certificate is expired, which prevents &brandShortName; from connecting securely.">
 
 <!ENTITY certerror.whatCanYouDoAboutItTitle "What can you do about it?">
 
@@ -232,7 +234,7 @@ certificate.">
 
 <!ENTITY blockedByPolicy.title "Blocked Page">
 
-<!ENTITY clockSkewError.title "Your computer clock is wrong">
+<!ENTITY clockSkewError.title "Your Computer Clock is Wrong">
 <!ENTITY clockSkewError.longDesc "Your computer thinks it is <span id='wrongSystemTime_systemDate1'/>, which prevents &brandShortName; from connecting securely. To visit <span class='hostname'></span>, update your computer clock in your system settings to the current date, time, and time zone, and then refresh <span class='hostname'></span>.">
 
 <!ENTITY prefReset.longDesc "It looks like your network security settings might be causing this. Do you want the default settings to be restored?">
diff --git a/browser/themes/shared/aboutNetError-new.css b/browser/themes/shared/aboutNetError-new.css
index e3853c504e19..48c8d7a98039 100644
--- a/browser/themes/shared/aboutNetError-new.css
+++ b/browser/themes/shared/aboutNetError-new.css
@@ -47,6 +47,10 @@ button:disabled {
   cursor: pointer;
 }
 
+#errorWhatToDoTitle {
+  margin-top: 2em;
+}
+
 #prefChangeContainer {
   display: none;
 }
diff --git a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
index 9dd5a3174787..277842cf6756 100755
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -287,18 +287,16 @@ certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because
 certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
 certErrorTrust_Untrusted=The certificate does not come from a trusted source.
 certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
-# LOCALIZATION NOTE (certErrorTrust_Symantec): %S is replaced by the domain for which the certificate is valid
-certErrorTrust_Symantec=The security certificate for %S is not trustworthy because the issuing organization failed to follow security practices. Certificates issued by Symantec, including the Thawte, GeoTrust, and RapidSSL brands, are not considered safe.
+certErrorTrust_Symantec1=Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.
 
 certErrorMismatch=The certificate is not valid for the name %S.
-# LOCALIZATION NOTE (certErrorMismatch2, certErrorMismatchSinglePrefix2, certErrorMismatchMultiple2): %1$S is replaced by the brand name, %2$S is replaced by host name.
-certErrorMismatch2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S.
+# LOCALIZATION NOTE (certErrorMismatch3, certErrorMismatchSinglePrefix3, certErrorMismatchMultiple3): %1$S is replaced by the brand name, %2$S is replaced by host name.
+certErrorMismatch3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
 # LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
 certErrorMismatchSinglePrefix=The certificate is only valid for %S.
-# LOCALIZATION NOTE (certErrorMismatchSinglePrefix2): %3$S is replaced by the domain for which the certificate is valid
-certErrorMismatchSinglePrefix2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S.
+certErrorMismatchSinglePrefix3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
 certErrorMismatchMultiple=The certificate is only valid for the following names:
-certErrorMismatchMultiple2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:
+certErrorMismatchMultiple3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:
 
 # LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
 certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
@@ -308,8 +306,8 @@ certErrorExpiredNow2=Websites prove their identity via certificates, which are v
 certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
 certErrorNotYetValidNow2=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %S appears to be not yet valid.
 
-# LOCALIZATION NOTE (certErrorSymantecDistrustDescription): %S will be replaced by the domain for which the certificate is valid.
-certErrorSymantecDistrustDescription=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers will no longer trust Symantec, the certificate authority for %S.
+# LOCALIZATION NOTE (certErrorSymantecDistrustDescription1): %S will be replaced by the domain for which the certificate is valid.
+certErrorSymantecDistrustDescription1=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. %S uses a certificate from one of these authorities and so the website’s identity cannot be proven.
 certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.
 
 # LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.