diff --git a/.gitignore b/.gitignore
index b4d8ee8..f8d52bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,8 @@
 rootfs/bin/minio
 rootfs/bin/boot
 vendor/
+genssl/server.cert
+genssl/server.csr
+genssl/server.key
+genssl/server.pem
+manifests/deis-minio-secretssl-final.yaml
diff --git a/Makefile b/Makefile
index 3aaad00..b70454e 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,12 @@ docker-push: docker-build
 
 deploy: build docker-build docker-push kube-rc
 
+ssl-cert:
+	# generate ssl certs
+	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/gen.sh && ./genssl/manifest-replace.sh
+	# replace values in ssl secrets file
+	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest_replace.sh
+
 kube-rc: kube-service
 	kubectl create -f ${RC}
 
diff --git a/boot.go b/boot.go
index 24ab040..5b1cdfb 100644
--- a/boot.go
+++ b/boot.go
@@ -103,7 +103,7 @@ func main() {
 			AccessKey: access,
 		},
 	}
-	t := template.New("Secret template")
+	t := template.New("MinioTpl")
 
 	t, err = t.Parse(templv2)
 
diff --git a/genssl/gen.sh b/genssl/gen.sh
new file mode 100755
index 0000000..d9612e0
--- /dev/null
+++ b/genssl/gen.sh
@@ -0,0 +1,14 @@
+# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
+# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
+
+apk add --update-cache openssl
+rm -rf /var/cache/apk/*
+
+# these commands are adapted from the very clear and extensive Heroku documents on creating a self-signed SSL certificate: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-private-key-and-certificate-signing-request
+
+openssl genrsa -des3 -passout pass:x -out ./genssl/server.pass.key 2048
+openssl rsa -passin pass:x -in ./genssl/server.pass.key -out ./genssl/server.key
+rm ./genssl/server.pass.key
+openssl req -new -key ./genssl/server.key -subj "/C=US/ST=California/L=San Francisco/O=Engine Yard" -out ./genssl/server.csr
+# generate the cert
+openssl x509 -req -days 365 -in ./genssl/server.csr -signkey ./genssl/server.key -out ./genssl/server.cert
diff --git a/genssl/manifest_replace.sh b/genssl/manifest_replace.sh
new file mode 100755
index 0000000..df554bc
--- /dev/null
+++ b/genssl/manifest_replace.sh
@@ -0,0 +1,11 @@
+# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
+# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
+# finally, it also expects that a 'server.cert' and 'server.key' in ./genssl. it uses those as the SSL cert and private key (AKA .pem) files, respectively
+
+FILE_CONTENTS="$(cat ./manifests/deis-minio-secretssl.yaml)"
+CERT="$(base64 ./genssl/server.cert)"
+PEM="$(base64 ./genssl/server.key)"
+
+FILE_CONTENTS="${FILE_CONTENTS/ACCESS_CERT/$CERT}"
+FILE_CONTENTS="${FILE_CONTENTS/ACCESS_PEM/$PEM}"
+echo "$FILE_CONTENTS" > ./manifests/deis-minio-secretssl-final.yaml
diff --git a/manifests/deis-minio-secretssl.yaml b/manifests/deis-minio-secretssl.yaml
index 7001a69..2eaccc8 100644
--- a/manifests/deis-minio-secretssl.yaml
+++ b/manifests/deis-minio-secretssl.yaml
@@ -1,9 +1,13 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: minio-user
+  name: minio-ssl
   heritage: deis
 type: Opaque
 data:
-  access-cert: OFRaUlkySlJXTVBUNlVNWFI2STUK
-  access-pem: Z2JzdHJPdm90TU1jZzJzTWZHVWhBNWE2RXQvRUk1QUx0SUhzb2JZawo=
+  # generated by make ssl-cert
+  access-cert: |
+    ACCESS_CERT
+  # generated by make ssl-cert
+  access-pem: |
+    ACCESS_PEM