diff --git a/README.md b/README.md
index baeb8ad..a2c1875 100644
--- a/README.md
+++ b/README.md
@@ -142,57 +142,13 @@ In order to modify the deployment follow these steps:
 
 1. Modify the GROUPS env variable to contain the list of classes (openshift groups) of which you would like to assign class labels. This file is found here: webhooks/assign-class-label/deployment.yaml
 
-2. Generate a new OpenSSL certificate
+2. Change namespace variable in the kubernetes manifests to match namespace you want the webhook to be deployed to.
 
-    ```
-    openssl req -x509 -sha256 -newkey rsa:2048 -keyout webhook.key -out webhook.crt -days 1024 -nodes -addext "subjectAltName = DNS.1:service_name.namespace.svc"
-    ```
-
-    When deployed to rhods-notebooks the command was specified as such:
-
-    ```
-    openssl req -x509 -sha256 -newkey rsa:2048 -keyout webhook.key -out webhook.crt -days 1024 -nodes -addext "subjectAltName = DNS.1:assign-class-label-webhook.rhods-notebooks.svc"
-    ```
-
-3. Add the cert and key to the required resources:
-
-    ```
-    cat webhook.crt | base64 | tr -d '\n'
-    ```
-
-    ```
-    cat webhook.key | base64 | tr -d '\n'
-    ```
-
-    This will encode the certificate and key in base64 format which is required. Copy the output of the webhook.crt to the caBundle in webhooks/assign-class-label/webhook-config.yaml. Then create a secret.yaml that looks like this
-
-    ```
-    apiVersion: v1
-    kind: Secret
-    metadata:
-        name: webhook-cert
-    type: Opaque
-    data:
-        webhook.crt:
-        webhook.key:
-    ```
-
-    Copy and paste the output of the cat command to the respective fields for webhook.crt and webhook.key. Then execute
-
-    ```
-    oc apply -f secret.yaml --as system:admin
-    ```
-
-    within the same namespace that your webhook will be deployed to.
-
-
-4. Change namespace variable in the kubernetes manifests to match namespace you want the webhook to be deployed to.
-
-5. From webhooks/assign-class-label/ directory run:
+3. From webhooks/assign-class-label/ directory run:
 ```
     oc apply -k . --as system:admin
 ```
 
-***Steps 2, 3, and 4 are only required if you are deploying to a new namespace/environment.***
+***Step 2 is only required if you are deploying to a new namespace/environment.***
 
 The python script and docker image used for the webserver should not need changes made to it. But in the case that changes must be made, the Dockerfile and python script can be found at docker/src/python/assign-class-label/.
diff --git a/webhooks/assign-class-label/certificate.yaml b/webhooks/assign-class-label/certificate.yaml
new file mode 100644
index 0000000..fb48405
--- /dev/null
+++ b/webhooks/assign-class-label/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: assign-class-label-tls
+spec:
+  secretName: assign-class-label-tls
+  issuerRef:
+    name: assign-class-label-issuer
+    kind: Issuer
+  commonName: "rhods-notebooks.svc"
+  dnsNames:
+    - assign-class-label-webhook.rhods-notebooks.svc
diff --git a/webhooks/assign-class-label/deployment.yaml b/webhooks/assign-class-label/deployment.yaml
index aa2c246..d4afc68 100644
--- a/webhooks/assign-class-label/deployment.yaml
+++ b/webhooks/assign-class-label/deployment.yaml
@@ -17,8 +17,13 @@ spec:
           ports:
             - containerPort: 443
           volumeMounts:
-            - name: cert
-              mountPath: /certs
+            - name: tls
+              mountPath: /certs/webhook.crt
+              subPath: tls.crt
+              readOnly: true
+            - name: tls
+              mountPath: /certs/webhook.key
+              subPath: tls.key
               readOnly: true
           resources:
             limits:
@@ -30,6 +35,6 @@ spec:
               value: "cs210,cs599-pmpp"
       serviceAccountName: webhook-sa
       volumes:
-        - name: cert
+        - name: tls
           secret:
-            secretName: webhook-cert
+            secretName: assign-class-label-tls
diff --git a/webhooks/assign-class-label/issuer.yaml b/webhooks/assign-class-label/issuer.yaml
new file mode 100644
index 0000000..1efd34c
--- /dev/null
+++ b/webhooks/assign-class-label/issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: assign-class-label-issuer
+spec:
+  selfSigned: {}
diff --git a/webhooks/assign-class-label/kustomization.yaml b/webhooks/assign-class-label/kustomization.yaml
index 7518b52..efd305c 100644
--- a/webhooks/assign-class-label/kustomization.yaml
+++ b/webhooks/assign-class-label/kustomization.yaml
@@ -5,10 +5,11 @@ commonLabels:
   app: assign-class-label-webhook
 
 resources:
+  - issuer.yaml
+  - certificate.yaml
   - deployment.yaml
   - service.yaml
   - webhook-config.yaml
   - serviceaccount.yaml
   - role.yaml
   - rolebinding.yaml
-  - secret.yaml
diff --git a/webhooks/assign-class-label/webhook-config.yaml b/webhooks/assign-class-label/webhook-config.yaml
index 4afc6b3..978be1c 100644
--- a/webhooks/assign-class-label/webhook-config.yaml
+++ b/webhooks/assign-class-label/webhook-config.yaml
@@ -2,14 +2,15 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: assign-class-label-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: rhods-notebooks/assign-class-label-tls
 webhooks:
-- name: assign-class-label-webhook.nerc.com
+- name: assign-class-label-webhook.rhods-notebooks.svc
   clientConfig:
     service:
       namespace: rhods-notebooks
       name: assign-class-label-webhook
       path: /mutate
-    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvakNDQW9xZ0F3SUJBZ0lVZjBXOXFOVS92OERkdjNKSktJVWV6Z1Z0YTJVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1FqRUxNQWtHQTFVRUJoTUNXRmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlOVEEyTVRFeE5qVXdOVGRhRncweU9EQXpNekV4Ck5qVXdOVGRhTUVJeEN6QUpCZ05WQkFZVEFsaFlNUlV3RXdZRFZRUUhEQXhFWldaaGRXeDBJRU5wZEhreEhEQWEKQmdOVkJBb01FMFJsWm1GMWJIUWdRMjl0Y0dGdWVTQk1kR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUUMweklTVkZLc2EyUWoxRmR3UE4rVkh2VnlyUnlRbWJycGgxVklRWWhOY21UaGpBenFaClFOQURMbXlyZzFrcnI4RysrQWhmVzlzYzhjMDFGckM1NHVRQ082K0dQbXBVaHpUd2tsVTUwQkdaS1hOV2ZJNFUKSjlRWklYT1YvUER1TFZyQVhMYzBnOFlGV1pENTFWNnhDcVN2cDdoUGNHNUJSUjNuUm53ZEQweXNnbVJnMExMQQp4VWg2eitEaE1ibkpRV2pRWmJIQ282djVVYkFSQkJOT0FTRWVkSHNqa2dxTXM2SVVDYzJHbnZWRXhRcWxMRWJtClFveVoyRS95L3cxc1JySTFXQTdQK3J5cEZMKzVZMTdXYVlmUnZYSW5MT29oRlRDc1A0cUJLekExYit2cFVUY1kKSnFlVGNGQ0xWVEtrVHR3T0JxY3Q0clBmUjBVT1NkSTdQT3hkQWdNQkFBR2pnWTh3Z1l3d0hRWURWUjBPQkJZRQpGSXUzM2pSbjVMZkJ6UjVYMldCaElCODU5clVXTUI4R0ExVWRJd1FZTUJhQUZJdTMzalJuNUxmQnpSNVgyV0JoCklCODU5clVXTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3T1FZRFZSMFJCREl3TUlJdVlYTnphV2R1TFdOc1lYTnoKTFd4aFltVnNMWGRsWW1odmIyc3VjbWh2WkhNdGJtOTBaV0p2YjJ0ekxuTjJZekFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQWIwZHpJN3lwZnVWVFY1UXM2UHgzcDVPQVhMc0o3eUhoUWIvV1grN2ZTWWVwa1dCcmdNY09JemRyClovY0o5b3ZQWkRYZ0Y4OEtIMCtYSC9LaVZoYkFrZkVGWlNyNFN4WG5udFJkeHpNNjJDdml0bVIwTS81MzdoYWgKeFJEbVNEcHUvVnRBUUxRdzF6U2VtWG5MbnlkblVJWjZXODlxL2ZaNUpBZHRGNUFYU3U1L2cwNkIrcmtFRGNTVAoya2NhOG4zWWo0Y0pqa3RXbi9NaE1JS29oSUY0bWpJb3M5Q3Y5U1B4Smh5aUZwUCtyLzNPbGdKeVNlMFJibFJ2ClNVeHcxRVRDdmY5MXNER3YwZGJwTllXbDZ0WnVSdHlIaE93UXlrRWdickcxMnYwdk1qU2VwVHVTeW5mT3FGYkoKUGRvRWs3MDlsUGRWK0pFdllwUWVnVTA5S3ZaMlBRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   rules:
     - operations: ["CREATE"]
       apiGroups: [""]