diff --git a/Makefile b/Makefile
index 2fe1425..b1843a1 100644
--- a/Makefile
+++ b/Makefile
@@ -10,11 +10,14 @@ BINDIR := ./rootfs/bin
 DEV_REGISTRY ?= $(docker-machine ip deis):5000
 DEIS_REGISTRY ?= ${DEV_REGISTRY}
 
+IMAGE_PREFIX ?= deis
+
 RC := manifests/deis-${SHORT_NAME}-rc.yaml
 SVC := manifests/deis-${SHORT_NAME}-service.yaml
 ADMIN_SEC := manifests/deis-${SHORT_NAME}-secretAdmin.yaml
 USER_SEC := manifests/deis-${SHORT_NAME}-secretUser.yaml
-IMAGE := ${DEIS_REGISTRY}${SHORT_NAME}:${VERSION}
+SSL_SEC := manifests/deis-${SHORT_NAME}-secretssl-final.yaml
+IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/${SHORT_NAME}:${VERSION}
 MC_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc:${VERSION}
 MC_INTEGRATION_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc-integration:${VERSION}
 
@@ -43,18 +46,26 @@ docker-push: docker-build
 
 deploy: build docker-build docker-push kube-rc
 
+# TODO: would be nice to refactor all of this code into a single binary. 1/2 of it is already written in genssl/manifest_replace.go.
+# the other 1/2 is in gen.sh, and should be refactored as a few 'exec.Command' calls...
 ssl-cert:
 	# generate ssl certs
-	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/gen.sh && ./genssl/manifest-replace.sh
+	docker run --rm -v "${PWD}":/pwd -w /pwd centurylink/openssl:0.0.1 ./genssl/gen.sh
 	# replace values in ssl secrets file
-	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest_replace.sh
+	docker run --rm -v "${PWD}":/pwd -w /pwd golang:1.5.1-alpine go run ./genssl/manifest_replace.go --cert=./genssl/server.cert --key=./genssl/server.key --tpl=./manifests/deis-minio-secretssl-tpl.yaml --out=./manifests/deis-minio-secretssl-final.yaml
 
-kube-rc: kube-service
+kube-rc:
 	kubectl create -f ${RC}
 
-kube-secrets:
+kube-secrets: ssl-cert
 	kubectl create -f ${ADMIN_SEC}
 	kubectl create -f ${USER_SEC}
+	kubectl create -f ${SSL_SEC}
+
+kube-clean-secrets:
+	kubectl delete secret minio-user
+	kubectl delete secret minio-admin
+	kubectl delete secret minio-ssl
 
 kube-service: kube-secrets
 	- kubectl create -f ${SVC}
diff --git a/genssl/gen.sh b/genssl/gen.sh
index d9612e0..ea15c78 100755
--- a/genssl/gen.sh
+++ b/genssl/gen.sh
@@ -1,8 +1,7 @@
-# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
-# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
+#!/bin/sh
 
-apk add --update-cache openssl
-rm -rf /var/cache/apk/*
+# this script intended to be run inside a centurylink/openssl:0.0.1 Docker container.
+# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
 
 # these commands are adapted from the very clear and extensive Heroku documents on creating a self-signed SSL certificate: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-private-key-and-certificate-signing-request
 
diff --git a/genssl/manifest_replace.go b/genssl/manifest_replace.go
new file mode 100755
index 0000000..555807c
--- /dev/null
+++ b/genssl/manifest_replace.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"encoding/base64"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"text/template"
+)
+
+const (
+	defaultAccessCertName = "./genssl/server.cert"
+	defaultAccessKeyName  = "./genssl/server.key"
+	defaultTplName        = "./manifests/deis-minio-secretssl-tpl.yaml"
+	defaultOutName        = "./manifests/deis-minio-secretssl-final.yaml"
+)
+
+func main() {
+	accessCertName := flag.String("cert", defaultAccessCertName, "the path to the SSL certificate file")
+	accessKeyName := flag.String("key", defaultAccessKeyName, "the path to the SSL key file")
+	tplName := flag.String("tpl", defaultTplName, "the path to the template name")
+	outName := flag.String("out", defaultOutName, "the path to the output file")
+
+	certBytes, err := ioutil.ReadFile(*accessCertName)
+	if err != nil {
+		fmt.Printf("ERROR: reading cert file (%s)\n", err)
+		os.Exit(1)
+	}
+	keyBytes, err := ioutil.ReadFile(*accessKeyName)
+	if err != nil {
+		fmt.Printf("ERROR: reading key file (%s)\n", err)
+		os.Exit(1)
+	}
+	tpl, err := template.ParseFiles(*tplName)
+	if err != nil {
+		fmt.Printf("ERROR: parsing template (%s)\n", err)
+		os.Exit(1)
+	}
+
+	outFile, err := os.Create(*outName)
+	if err != nil {
+		fmt.Printf("ERROR: creating new out file (%s)\n", err)
+		os.Exit(1)
+	}
+
+	accessCertEncoded := base64.StdEncoding.EncodeToString(certBytes)
+	accessKeyEncoded := base64.StdEncoding.EncodeToString(keyBytes)
+
+	s := map[string]string{"AccessCert": accessCertEncoded, "AccessPem": accessKeyEncoded}
+
+	if err := tpl.Execute(outFile, s); err != nil {
+		fmt.Printf("ERROR: executing template (%s)\n", err)
+		os.Exit(1)
+	}
+}
diff --git a/genssl/manifest_replace.sh b/genssl/manifest_replace.sh
deleted file mode 100755
index df554bc..0000000
--- a/genssl/manifest_replace.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
-# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
-# finally, it also expects that a 'server.cert' and 'server.key' in ./genssl. it uses those as the SSL cert and private key (AKA .pem) files, respectively
-
-FILE_CONTENTS="$(cat ./manifests/deis-minio-secretssl.yaml)"
-CERT="$(base64 ./genssl/server.cert)"
-PEM="$(base64 ./genssl/server.key)"
-
-FILE_CONTENTS="${FILE_CONTENTS/ACCESS_CERT/$CERT}"
-FILE_CONTENTS="${FILE_CONTENTS/ACCESS_PEM/$PEM}"
-echo "$FILE_CONTENTS" > ./manifests/deis-minio-secretssl-final.yaml
diff --git a/manifests/deis-minio-rc.yaml b/manifests/deis-minio-rc.yaml
index b50d506..faf913c 100644
--- a/manifests/deis-minio-rc.yaml
+++ b/manifests/deis-minio-rc.yaml
@@ -4,7 +4,7 @@ metadata:
   name: deis-minio
   labels:
     heritage: deis
-    release: 0.0.1-20151125145149
+    release: v2-alpha
 spec:
   replicas: 1
   selector:
@@ -15,14 +15,18 @@ spec:
         app: deis-minio
     spec:
       containers:
-        - name: deis-minio
-          image: quay.io/deis/minio
+        - imagePullPolicy: Always
+          name: deis-minio
+          image: quay.io/deisci/minio:v2-alpha
           ports:
             - containerPort: 9000
           command:
             - boot
           args:
-            - "server /home/minio/"
+            - "--cert=/var/run/secrets/deis/minio/ssl/access-cert"
+            - "--key=/var/run/secrets/deis/minio/ssl/access-pem"
+            - "server"
+            - "/home/minio/"
           volumeMounts:
             - name: minio-admin
               mountPath: /var/run/secrets/deis/minio/admin
@@ -30,6 +34,9 @@ spec:
             - name: minio-user
               mountPath: /var/run/secrets/deis/minio/user
               readOnly: true
+            - name: minio-ssl
+              mountPath: /var/run/secrets/deis/minio/ssl
+              readOnly: true
       volumes:
         - name: minio-admin
           secret:
@@ -37,3 +44,6 @@ spec:
         - name: minio-user
           secret:
             secretName: minio-user
+        - name: minio-ssl
+          secret:
+            secretName: minio-ssl
diff --git a/manifests/deis-minio-secretssl.yaml b/manifests/deis-minio-secretssl-tpl.yaml
similarity index 82%
rename from manifests/deis-minio-secretssl.yaml
rename to manifests/deis-minio-secretssl-tpl.yaml
index 2eaccc8..c11cb3d 100644
--- a/manifests/deis-minio-secretssl.yaml
+++ b/manifests/deis-minio-secretssl-tpl.yaml
@@ -7,7 +7,7 @@ type: Opaque
 data:
   # generated by make ssl-cert
   access-cert: |
-    ACCESS_CERT
+    {{.AccessCert}}
   # generated by make ssl-cert
   access-pem: |
-    ACCESS_PEM
+    {{.AccessPem}}