diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index a3163f0a..3784b2d5 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -30,106 +30,134 @@ patches:
 - path: webhookcainjection_patch.yaml
 
 replacements:
-  - source:
-      fieldPath: .metadata.namespace
-      group: cert-manager.io
+  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
       kind: Certificate
-      name: serving-cert
+      group: cert-manager.io
       version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+      fieldPath: .metadata.namespace # namespace of the certificate CR
     targets:
-      - fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          create: true
-          delimiter: /
-        select:
+      - select:
           kind: ValidatingWebhookConfiguration
-      - fieldPaths:
+        fieldPaths:
           - .metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          delimiter: '/'
+          index: 0
           create: true
-          delimiter: /
-        select:
+      - select:
           kind: MutatingWebhookConfiguration
-      - fieldPaths:
+        fieldPaths:
           - .metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
+          delimiter: '/'
+          index: 0
           create: true
-          delimiter: /
-        select:
+      - select:
           kind: CustomResourceDefinition
-        reject:
-          - name: ipaddressclaims.ipam.cluster.x-k8s.io
-          - name: ipaddresses.ipam.cluster.x-k8s.io
-          - name: extensionconfigs.runtime.cluster.x-k8s.io
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 0
+          create: true
   - source:
-      fieldPath: .metadata.name
-      group: cert-manager.io
       kind: Certificate
-      name: serving-cert
+      group: cert-manager.io
       version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+      fieldPath: .metadata.name
     targets:
-      - fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          create: true
-          delimiter: /
-          index: 1
-        select:
+      - select:
           kind: ValidatingWebhookConfiguration
-      - fieldPaths:
+        fieldPaths:
           - .metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
-          create: true
-          delimiter: /
+          delimiter: '/'
           index: 1
-        select:
+          create: true
+      - select:
           kind: MutatingWebhookConfiguration
-      - fieldPaths:
+        fieldPaths:
           - .metadata.annotations.[cert-manager.io/inject-ca-from]
         options:
-          create: true
-          delimiter: /
+          delimiter: '/'
           index: 1
-        select:
+          create: true
+      - select:
           kind: CustomResourceDefinition
-        reject:
-          - name: ipaddressclaims.ipam.cluster.x-k8s.io
-          - name: ipaddresses.ipam.cluster.x-k8s.io
-          - name: extensionconfigs.runtime.cluster.x-k8s.io
-  - source:
-      fieldPath: .metadata.name
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 1
+          create: true
+  - source: # Add cert-manager annotation to the webhook Service
       kind: Service
-      name: webhook-service
       version: v1
+      name: webhook-service
+      fieldPath: .metadata.name # namespace of the service
     targets:
-      - fieldPaths:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: serving-cert
+        fieldPaths:
           - .spec.dnsNames.0
           - .spec.dnsNames.1
         options:
+          delimiter: '.'
+          index: 0
           create: true
-          delimiter: .
-        select:
-          group: cert-manager.io
-          kind: Certificate
-          version: v1
   - source:
-      fieldPath: .metadata.namespace
       kind: Service
-      name: webhook-service
       version: v1
+      name: webhook-service
+      fieldPath: .metadata.namespace # namespace of the service
     targets:
-      - fieldPaths:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: serving-cert
+        fieldPaths:
           - .spec.dnsNames.0
           - .spec.dnsNames.1
         options:
-          create: true
-          delimiter: .
+          delimiter: '.'
           index: 1
-        select:
-          group: cert-manager.io
+          create: true
+  - source: # Prefix the certificate secret name with the name of service
+      kind: Service
+      version: v1
+      name: webhook-service
+      fieldPath: .metadata.name # namespace of the service
+    targets:
+      - select:
           kind: Certificate
+          group: cert-manager.io
+          version: v1
+        fieldPaths:
+          - .spec.secretName
+        options:
+          delimiter: '-'
+          index: 0
+          create: true
+  - source: # Certificate secret name
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert
+      fieldPath: .spec.secretName
+    targets:
+      - select:
+          kind: Deployment
+          group: apps
           version: v1
+          name: controller-manager
+        fieldPaths:
+          - .spec.template.spec.volumes.[name=cert].secret.secretName
 
 configurations:
   - kustomizeconfig.yaml