diff --git a/scripts/install.sh b/scripts/install.sh
index f5c65ef0..b9d1fafe 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -325,16 +325,17 @@ if [[ $enable_self_signed_ca == "true" ]]; then
   # comment out vars
   configMapGeneratorStartLine=$(grep -n configMapGenerator ./default/kustomization.yaml |cut -d':' -f1)
   configMapGeneratorBeforeLine=$((configMapGeneratorStartLine-1))
-  sed "1,${configMapGeneratorBeforeLine}s/^/#/g" -i default/kustomization.yaml
-  
+  sed -i.bak "1,${configMapGeneratorBeforeLine}s/^/#/g" default/kustomization.yaml
+
   # remove webhookcainjection_patch.yaml
-  sed 's+- webhookcainjection_patch.yaml++g' -i default/kustomization.yaml
+  sed -i.bak '/webhookcainjection_patch.yaml/d' default/kustomization.yaml
 
   # create dummy secret 'modelmesh-webhook-server-cert'
   secretExist=$(kubectl get secret modelmesh-webhook-server-cert --ignore-not-found|wc -l)
-  if [[ $secretExist == 0 ]]; then
+  if [[ $secretExist -eq 0 ]]; then
     kubectl create secret generic modelmesh-webhook-server-cert 
   fi
+  rm default/kustomization.yaml.bak
 fi
 
 kustomize build default | kubectl apply -f -
@@ -365,10 +366,9 @@ if [[ $enable_self_signed_ca == "true" ]]; then
   info "Enabled Self Signed CA: Generate certificates and restart controller"
   
   # Delete dummy secret for webhook server
-  kubectl delete secret modelmesh-webhook-server-cert 
+  kubectl delete secret modelmesh-webhook-server-cert
 
   ../scripts/self-signed-ca.sh --namespace $namespace
-
 fi
 
 info "Waiting for ModelMesh Serving controller pod to be up..."
diff --git a/scripts/self-signed-ca.sh b/scripts/self-signed-ca.sh
index de104cd9..e91a1b7f 100755
--- a/scripts/self-signed-ca.sh
+++ b/scripts/self-signed-ca.sh
@@ -116,10 +116,10 @@ openssl x509 -extensions v3_req -req -days 365 -in ${tmpdir}/server.csr -CA ${tm
 kubectl create secret generic ${secret} \
         --from-file=tls.key=${tmpdir}/server.key \
         --from-file=tls.crt=${tmpdir}/server.crt \
-        --dry-run -o yaml |
+        --dry-run=server -o yaml |
     kubectl -n ${namespace} apply -f -
 # Webhook pod needs to be restarted so that the service reload the secret
-# http://github.com/kueflow/kubeflow/issues/3227
+# http://github.com/kubeflow/kubeflow/issues/3227
 webhookPod=$(kubectl get pods -n ${namespace} |grep ${webhookDeploymentName} |awk '{print $1;}')
 # ignore error if webhook pod does not exist
 kubectl delete pod ${webhookPod} -n ${namespace} 2>/dev/null || true