docs: update test count and fix pki.md inaccuracies

- README: update test count from 283 to 337
- pki.md: fix environment variable names (PKI_CA_PASSWORD)
- pki.md: correct CLI usage examples (config via env/file)
- pki.md: update pki status output format
- pki.md: clarify revocation is API-only (no CLI command)

README.md

@@ -386,7 +386,7 @@ flaskpaste/
 │   └── api/
 │       ├── __init__.py  # Blueprint setup
 │       └── routes.py    # API endpoints
-├── tests/               # Test suite (283 tests)
+├── tests/               # Test suite (337 tests)
 ├── data/                # SQLite database
 ├── run.py               # Development server
 ├── wsgi.py              # Production WSGI entry

documentation/pki.md

@@ -18,13 +18,14 @@ The PKI system provides:
 # Download CLI
 curl -o fpaste https://paste.example.com/client && chmod +x fpaste
 
-# Configure server
+# Configure server (environment or config file)
-./fpaste config server https://paste.example.com
+export FLASKPASTE_SERVER="https://paste.example.com"
+# Or: echo "server = https://paste.example.com" >> ~/.config/fpaste/config
 
-# Register (requires PKI password if set on server)
+# Register and auto-configure
 ./fpaste register --configure
 
-# Creates ~/.config/fpaste/{client.key, client.crt} and updates config
+# Creates ~/.config/fpaste/{client.key, client.crt, client.p12} and updates config
 ```
 
 ### 2. Use Authenticated Requests
@@ -45,11 +46,12 @@ echo "secret data" | ./fpaste create
 ### Enable PKI
 
 ```bash
-# Set PKI password (required for certificate operations)
+# Enable PKI and set CA password (required for certificate operations)
-export FLASKPASTE_PKI_PASSWORD="your-secure-password"
+export FLASKPASTE_PKI_ENABLED=1
+export FLASKPASTE_PKI_CA_PASSWORD="your-secure-password"
 
-# Optional: enable public registration
+# Optional: set certificate validity period (default: 365 days)
-export FLASKPASTE_REGISTRATION_ENABLED=true
+export FLASKPASTE_PKI_CERT_DAYS=365
 
 # Start server
 python run.py
@@ -75,12 +77,13 @@ curl -X POST https://paste.example.com/pki/ca \
 
 Output:
 ```
-PKI Status
+pki enabled: True
-  CA initialized: yes
+ca exists:   True
-  CA fingerprint: a1b2c3d4e5f6...
+common name: FlaskPaste CA
-  CA expires: 2034-12-25
+fingerprint: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
-  Issued certs: 5
+created:     2024-12-25T10:30:00Z
-  Revoked: 1
+expires:     2034-12-25T10:30:00Z
+download:    https://paste.example.com/pki/ca.crt
 ```
 
 ### Download CA Certificate
@@ -100,11 +103,17 @@ PKI Status
 ./fpaste pki issue -n "alice" -o ./alice-certs/ --configure
 ```
 
-### Revoke Certificate (Admin)
+### Revoke Certificate (API)
+
+Certificate revocation is done via the API:
 
 ```bash
-./fpaste pki status  # Get serial number
+# Get certificate serial from /pki/certs
-./fpaste pki revoke <serial>
+curl -H "X-SSL-Client-SHA1: <your-fingerprint>" https://paste.example.com/pki/certs
+
+# Revoke by serial number
+curl -X POST -H "X-SSL-Client-SHA1: <your-fingerprint>" \
+  https://paste.example.com/pki/revoke/<serial>
 ```
 
 ## Self-Signed Certificate (Offline)
@@ -167,11 +176,11 @@ backend flaskpaste
 
 ## Security Considerations
 
-- Store PKI password securely (environment variable, secrets manager)
+- Store `FLASKPASTE_PKI_CA_PASSWORD` securely (environment variable, secrets manager)
-- Protect CA private key (encrypted with AES-256-GCM)
+- CA private key is encrypted with AES-256-GCM using the password
-- Use strong proxy secret for header trust validation
+- Use strong `FLASKPASTE_PROXY_SECRET` for header trust validation
-- Revoke compromised certificates promptly
+- Revoke compromised certificates promptly via the API
-- Monitor audit logs for AUTH_FAILURE events
+- Monitor audit logs for `AUTH_FAILURE` events (revoked/expired certificates)
 
 ## API Reference