Improve provider documentation

* Add description about the api endpoints offered by the provider
   and why create should only be called once.

improves #168

docs/csaf_provider.md

@@ -1,8 +1,27 @@
-`csaf_provider` implements the CGI interface for webservers
+`csaf_provider` implements a CGI interface for webservers
 and reads its configuration from a [TOML](https://toml.io/en/) file.
 The [setup docs](../README.md#setup-trusted-provider)
 explain how to wire this up with nginx and where the config file lives.
 
+When installed, two entpoints are offered,
+and you should use the [csaf_uploader](../docs/csaf_uploader)
+to access them:
+
+### /api/create
+
+Must be called once after all configuration values are set.
+It will write the `provider-metadata.json` and may write
+or update the`security.txt`.
+
+Once the files exist, they will **not** be overwriten
+by additional `create` calls, even if the config values have been changed.
+Changes should happen rarely and can be done manually.
+
+
+### /api/upload
+Called for each upload of a document and will update
+the CSAF structure in the file system accordingly.
+
 
 ## Provider options
 

docs/csaf_uploader.md

@@ -28,6 +28,9 @@ Help Options:
   -h, --help                                Show this help message
 ```
 E.g. creating the initial directories and files.
+This must only be done once, as subsequent `create` calls to the
+[csaf_provider](../docs/csaf_provider.md)
+may not lead to the desired result.
 
 ```bash
 ./csaf_uploader -a create  -u https://localhost/cgi-bin/csaf_provider.go