docs: fix CLI behavior mismatches in README and EXAMPLES

[danielewood]

Summary

Documentation and help text currently describe CLI behavior that does not match actual behavior in multiple places.

Underlying problems

1. EXAMPLES claims inspect/verify always show expired certificates, but both commands filter or error unless --allow-expired is set.
2. bundle help text says verification uses the system trust store, while the default --trust-store is mozilla.
3. convert help text says only p12/jks are binary formats requiring -o, but der and p7b also require -o.
4. README claims convert supports Kubernetes Secrets, but there is no --to k8s (or equivalent) output.

Why this matters

Users rely on docs for behavior and scripting. Mismatches lead to confusion, incorrect automation, and unexpected errors.

Evidence

• EXAMPLES expired certs claim: EXAMPLES.md:568-577; actual behavior: cmd/certkit/inspect.go:55-61, cmd/certkit/verify.go:108-113.
• Bundle help text vs default trust store: cmd/certkit/bundle.go:30-34, cmd/certkit/bundle.go:52.
• Convert help text vs binary formats: cmd/certkit/convert.go:25-29, cmd/certkit/convert.go:131-133.
• README Kubernetes Secrets claim: README.md:13; supported --to values: cmd/certkit/convert.go:44.

Acceptance criteria

• Docs and help text match current behavior for expired cert handling, trust store default, binary output requirements, and supported convert formats.
• If Kubernetes Secrets output is intended, add the feature and document it; otherwise update README to remove the claim.

Suggested approach

• Update the relevant doc strings and README/EXAMPLES entries to align with behavior.

Dedupe notes

Checked open issues #88–#92 and gh search issues "repo:sensiblebit/certkit" with relevant keywords; no overlapping issue found. Classified as new.

[danielewood]

Implemented in #109 and included in #110, now merged to main. Closing as complete.