[SOLVED] How can I make "distinguished name" configurable via environment variables?

How can I make "distinguished name" configurable via environment variables?

I am using libressl on Alpine with the following versions:

$ cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.14.2
PRETTY_NAME="Alpine Linux v3.14"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
$ libressl version -a
LibreSSL 3.3.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/etc/ssl"

I am using the following openssl.cnf file

# default section for variable definitions

DN                 = ca_dn
DISTINGUISHED_NAME = ${ENV::DN}

# certificate request configuration

[ req ]
default_bits       = 2048
default_md         = sha256
encrypt_key        = no
prompt             = no
string_mask        = utf8only
distinguished_name = ${DISTINGUISHED_NAME}

[ ca_dn ]
C                      = SE
ST                     = Stockholm County
L                      = Stockholm
O                      = Organization
OU                     = Unit
CN                     = Name 1
emailAddress           = user@domain.com

# certificate authority configuration

[ ca_ext ]
authorityKeyIdentifier = keyid, issuer
subjectKeyIdentifier   = hash
basicConstraints       = critical, CA:TRUE, pathlen:1
keyUsage               = critical, keyCertSign, cRLSign

# another distinguished name
[ other_dn ]
C                      = SE
ST                     = Stockholm County
L                      = Stockholm
O                      = Organization
OU                     = Unit
CN                     = Name 2

and I am trying to get the certificates generated with different distinguished names with the help of environment variables. So far, I have failed to achieve what I want:

$ printenv DN
$ libressl req  -newkey rsa:4096 -x509 -days 3650           \
                -keyout certs/ca.key -out certs/ca.crt      \
                -config certs/openssl.cnf -extensions ca_ext
$ libressl x509 -noout -subject -in certs/ca.crt 
subject= /C=SE/ST=Stockholm County/L=Stockholm/O=Organization/OU=Unit/CN=Name 1/emailAddress=user@domain.com
$ export DN=other_dn
$ printenv DN
other_dn
$ libressl req  -newkey rsa:4096 -x509 -days 3650           \
                -keyout certs/ca.key -out certs/ca.crt      \
                -config certs/openssl.cnf -extensions ca_ext
$ libressl x509 -noout -subject -in certs/ca.crt 
subject= /C=SE/ST=Stockholm County/L=Stockholm/O=Organization/OU=Unit/CN=Name 1/emailAddress=user@domain.com

I think I have done my job to search the internet for similar problems, but I have not come up with the exact situation (and a solution) yet. There are examples that show how to benefit from environment variables when setting SANs, but I could not see a case where the user is willing to change DNs through environment variables.

I have the following questions:

Is what I am trying to achieve (i.e., have different DNs inside a configuration file and select them properly via environment variables) not doable at all?
If the answer to the previous question is "No; you can achieve it," how can I use the environment variables?

Note that I have only shared a minimal (not-)working example above. In the actual case, I have a longer configuration file that encodes requests and x509 extension options properly for different servers and clients under the same CA. Should you need the full configuration file, please let me know so that I can strip the sensitive information and paste the full configuration file by updating my question.

I thank you in advance for your time and help, and I look forward to any pointers and/or constructive feedback that would solve my issue.

Solution

you can try expand file variables with envsubst:

instead of ... -config certs/openssl.cnf ...

use ... -config <( envsubst < certs/openssl.cnf ) ...

so $DISTINGUISHED_NAME will be applied