fpaste: add register command for public certificate enrollment

- Add register command to obtain client cert from server
- Solve PoW challenge, receive PKCS#12 bundle
- Extract cert/key, optionally update config (--configure)
- Fix registration to work without PKI_ENABLED (only needs PKI_CA_PASSWORD)
- Add skip_enabled_check param to get_ca_info() for registration path
- Update docs: README examples, API header name fix (X-Fingerprint-SHA1)

app/api/routes.py

@@ -912,8 +912,9 @@ class RegisterView(MethodView):
             # Generate random common name if not provided
             common_name = f"client-{secrets.token_hex(4)}"
 
-        # Auto-generate CA if needed
-        if get_ca_info() is None:
+        # Auto-generate CA if needed (skip PKI_ENABLED check for registration)
+        ca_info = get_ca_info(skip_enabled_check=True)
+        if ca_info is None:
             ca_days = current_app.config.get("PKI_CA_DAYS", 3650)
             try:
                 ca_info = generate_ca("FlaskPaste CA", password, days=ca_days)
@@ -935,8 +936,9 @@ class RegisterView(MethodView):
             current_app.logger.error("Certificate issuance failed: %s", e)
             return error_response("Certificate issuance failed", 500)
 
-        # Load certificates for PKCS#12 creation
-        ca_info = get_ca_info()
+        # Load CA cert for PKCS#12 (reuse ca_info from above, or refresh if it was just generated)
+        if ca_info is None or "certificate_pem" not in ca_info:
+            ca_info = get_ca_info(skip_enabled_check=True)
         ca_cert = x509.load_pem_x509_certificate(ca_info["certificate_pem"].encode())
         client_cert = x509.load_pem_x509_certificate(
             cert_info["certificate_pem"].encode()