Don't use ENV vars when generating SSL certs

+Copyright 2017-present Open Networking Foundation
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+See the License for the specific language governing permissions and
+limitations under the License.
+# Created by client.cnf.j2, configured by ansible
+[ ca ]
+default_ca  = CA_default
+[ CA_default ]
+dir               = {{ pki_dir }}/{{ site_name }}_im_ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.randfile
+private_key       = $dir/private/im_key.pem
+certificate       = $dir/certs/im_cert.pem
+crlnumber         = $dir/crl/crlnumber
+crl               = $dir/crl/im_crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject    = no
+default_md        = {{ ca_digest }}
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = {{ ca_im_days }}
+preserve          = no
+# for CA that signs client certs
+policy            = policy_loose
+[ policy_loose ]
+# Allow the intermediate CA to sign more types of certs
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ req ]
+default_bits         = {{ ca_size }}
+default_md           = {{ ca_digest }}
+distinguished_name   = req_distinguished_name
+string_mask          = utf8only
+x509_extensions      = client_cert
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+# Some defaults
+countryName_default             = US
+stateOrProvinceName_default     = California
+localityName_default            = Menlo Park
+0.organizationName_default      = ON.Lab
+organizationalUnitName_default  = {{ site_humanname }}
+emailAddress_default            = privateca@opencord.org
+[ client_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = {{ item.altnames | join(', ') }}