"...by web nanny type software and the NSA to do man-in-the-middle attacks"
The web nany software would have to install itself as a trusted certificate authority on your browser first, in which case it doesn't really need to create fake certs. Otherwise every site you visit will show a discrepency/self-signed type warning. A corporate network can do it as every PC on the network can be given a trusted certificate authority which is usually the domain certificate management server, to allow trust of local servers and sign various items.
The NSA can only do it by installing themselves as a trusted certificate authority, compromising or coercing a trusted authority.
The real power is with the OS/Browser as they ultimately decide which authorities they are going to trust or not.