diff --git a/Makefile b/Makefile
index 6aca480f..ce88c464 100644
--- a/Makefile
+++ b/Makefile
@@ -101,14 +101,16 @@ docker-push: ## Push docker image with the manager.
 # also generates a placeholder cert for the webhook - this cert is not intended to be valid
 .PHONY: build-deploy
 build-deploy: ## Create a deployment file that can be applied with `kubectl apply -f deploy.yaml`
+	$(eval TEMP_KEY := $(shell mktemp))
+	$(eval TEMP_CERT := $(shell mktemp))
 	cd config/manager && kustomize edit set image controller=${ECRIMAGES}
 	kustomize build config/default > deploy.yaml
-	openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=not-a-real-cn/O=not-a-real-o" > /dev/null 2>&1
-	$(eval export KEY_B64 := $(shell cat tls.key | base64))
-	$(eval export CERT_B64 := $(shell cat tls.crt | base64))
-	yq -i e '(.[] as $$item | select(.metadata.name == "webhook-cert" and .kind == "Secret") | .data."tls.crt") = env(CERT_B64)' deploy.yaml 2>&1
+	openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout $(TEMP_KEY) -out $(TEMP_CERT) -subj "/CN=not-a-real-cn/O=not-a-real-o" > /dev/null 2>&1
+	export KEY_B64=`cat $(TEMP_KEY) | base64` && \
+	export CERT_B64=`cat $(TEMP_CERT) | base64` && \
+	yq -i e '(.[] as $$item | select(.metadata.name == "webhook-cert" and .kind == "Secret") | .data."tls.crt") = env(CERT_B64)' deploy.yaml && \
 	yq -i e '(.[] as $$item | select(.metadata.name == "webhook-cert" and .kind == "Secret") | .data."tls.key") = env(KEY_B64)' deploy.yaml 2>&1
-	rm tls.key tls.crt
+	rm $(TEMP_KEY) $(TEMP_CERT)
 
 .PHONY: manifest
 manifest: ## Generate CRD manifest