diff --git a/.gitignore b/.gitignore
index 447f991..58dcd32 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 ssl/*.key
 ssl/*.pem
-ssl/*.csr
-/mutateme
\ No newline at end of file
+/mutateme
diff --git a/README.md b/README.md
index 0391d12..1b1c532 100644
--- a/README.md
+++ b/README.md
@@ -19,13 +19,10 @@ make test
 
 ## ssl/tls
 
-the `ssl/` dir contains a script to create a self-signed certificate, not sure this will even work when running in k8s but that's part of figuring this out I guess
-
-_NOTE: the app expects the cert/key to be in `ssl/` dir relative to where the app is running/started and currently is hardcoded to `mutateme.{key,pem}`_
+App expects the cert/key to be in `ssl/` dir relative to where the app is running/started and currently is hardcoded to `mutateme.{key,pem}`_
 
 ```
-cd ssl/ 
-make 
+openssl req -x509 -newkey rsa:4096 -keyout ssl/mutateme.key -out ssl/mutateme.pem -days 3650 -nodes -subj '/CN=mutateme.mutateme.svc'
 ```
 
 ## docker
@@ -55,8 +52,9 @@ watcher -watch github.com/alex-leonhardt/k8s-mutate-webhook -run github.com/alex
 
 ## Running in docker-for-mac
 
+Generate cert, see above
+
 ```bash
-cd ssl && make && cd -
 make docker
 sed -i '' 's/imagePullPolicy: Always/imagePullPolicy: Never/' deploy/webhook.yaml # use local image
 sed -i '' "s/caBundle:.*/caBundle: $(cat ssl/mutateme.pem | base64)/" deploy/webhook.yaml # use local CA 
diff --git a/ssl/Makefile b/ssl/Makefile
deleted file mode 100644
index b4443ee..0000000
--- a/ssl/Makefile
+++ /dev/null
@@ -1,11 +0,0 @@
-APP = mutateme
-NAMESPACE = default
-
-.PHONY:cert
-cert:
-	@./ssl.sh $(APP) $(NAMESPACE)
-
-.PHONY:clean
-clean:
-	rm -vf *.key *.pem *.cert *.crt *.csr
-
diff --git a/ssl/csr.conf b/ssl/csr.conf
deleted file mode 100644
index 8ca0608..0000000
--- a/ssl/csr.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-[req]
-req_extensions = v3_req
-distinguished_name = req_distinguished_name
-[req_distinguished_name]
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = mutateme
-DNS.2 = mutateme.default
-DNS.3 = mutateme.default.svc
-DNS.4 = mutateme.default.svc.cluster.local
diff --git a/ssl/ssl.sh b/ssl/ssl.sh
index 188c741..123f0da 100755
--- a/ssl/ssl.sh
+++ b/ssl/ssl.sh
@@ -1,86 +1,5 @@
 #! /bin/sh
 set -uo errexit
 
-export APP="${1}"
-export NAMESPACE="${2}"
 export CSR_NAME="${APP}.${NAMESPACE}.svc"
-
-echo "... creating ${APP}.key"
-openssl genrsa -out ${APP}.key 2048
-
-echo "... creating ${APP}.csr"
-cat >csr.conf<<EOF
-[req]
-req_extensions = v3_req
-distinguished_name = req_distinguished_name
-[req_distinguished_name]
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = ${APP}
-DNS.2 = ${APP}.${NAMESPACE}
-DNS.3 = ${CSR_NAME}
-DNS.4 = ${CSR_NAME}.cluster.local
-EOF
-echo "openssl req -new -key ${APP}.key -subj \"/CN=${CSR_NAME}\" -out ${APP}.csr -config csr.conf"
-openssl req -new -key ${APP}.key -subj "/CN=${CSR_NAME}" -out ${APP}.csr -config csr.conf
-
-echo "... deleting existing csr, if any"
-echo "kubectl delete csr ${CSR_NAME} || :"
-kubectl delete csr ${CSR_NAME} || :
-
-echo "... creating kubernetes CSR object"
-echo "kubectl create -f -"
-kubectl create -f - <<EOF
-apiVersion: certificates.k8s.io/v1beta1
-kind: CertificateSigningRequest
-metadata:
-  name: ${CSR_NAME}
-spec:
-  groups:
-  - system:authenticated
-  request: $(cat ${APP}.csr | base64 | tr -d '\n')
-  usages:
-  - digital signature
-  - key encipherment
-  - server auth
-EOF
-
-SECONDS=0
-while true; do
-  echo "... waiting for csr to be present in kubernetes"
-  echo "kubectl get csr ${CSR_NAME}"
-  kubectl get csr ${CSR_NAME} > /dev/null 2>&1
-  if [ "$?" -eq 0 ]; then
-      break
-  fi
-  if [[ $SECONDS -ge 60 ]]; then
-    echo "[!] timed out waiting for csr"
-    exit 1
-  fi
-  sleep 2
-done
-
-kubectl certificate approve ${CSR_NAME}
-
-SECONDS=0
-while true; do
-  echo "... waiting for serverCert to be present in kubernetes"
-  echo "kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}'"
-  serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
-  if [[ $serverCert != "" ]]; then
-    break
-  fi
-  if [[ $SECONDS -ge 60 ]]; then
-    echo "[!] timed out waiting for serverCert"
-    exit 1
-  fi
-  sleep 2
-done
-
-echo "... creating ${APP}.pem cert file"
-echo "\$serverCert | openssl base64 -d -A -out ${APP}.pem"
-echo ${serverCert} | openssl base64 -d -A -out ${APP}.pem
+openssl req -x509 -newkey rsa:4096 -keyout ssl/kube-admission.key -out ssl/kube-admission.pem -days 3650