diff --git a/.gitignore b/.gitignore
index 6d484c5..8e720cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .idea
 *.iml
 .DS_Store
+tmp
diff --git a/tools/multicluster/setup_tls.sh b/tools/multicluster/setup_tls.sh
index 9cdfefd..392dcbb 100755
--- a/tools/multicluster/setup_tls.sh
+++ b/tools/multicluster/setup_tls.sh
@@ -2,9 +2,21 @@
 
 set -Eeou pipefail
 
+# this is useful for the user to see what is actually executing here
+set -x
+
 # This script is intended for demoing and not for general customer usage. This script has no official MongoDB support and is not guaranteed to be maintained.
 #
-# This script requires having `mkcert` installed for creating a local CA
+# This script:
+#   - requires having "mkcert" (https://github.com/FiloSottile/mkcert) installed for creating a local CA.
+#   - executes all operation in the current kubectl context
+#   - installs cert-manager in cert-manager namespace using helm
+#   - creates issuer CA secret "ca-key-pair" using mkcert's root CA key pair to create ClusterIssuer in cert-manager
+#   - creates "issuer-ca" config map with the all necessary CA certificates for MongoDB resources
+#   - creates ClusterIssuer in cert-manager to issue certificates in different namespaces
+#   - creates Certificate in cert-manager to issue the certificate in the desired namespace. Cert-manager will create a secret in the specified namespace named: "certprefix-${resource}-cert".
+#   - tries to configure TLS encryption in MongoDBMultiCluster resource
+#   - It is issued for a wildcard hostname "*.${namespace}.svc.cluster.local" in SAN field, and it's suitable to use in all MongoDB databases and as Ops Manager's server certificate.
 # Sample usage:
 # ./setup_tls.sh mongodb multi-cluster-replica-set
 
@@ -15,22 +27,23 @@ resource="${2:-multi-replica-set}"
 helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
 
 # Setup local CA
+echo "Installing root CA using: mkcert -install. Sudo password might be required."
 mkcert -install
 
 # Create CA secret in kubernetes
-kubectl create secret tls ca-key-pair --cert="$(mkcert --CAROOT)/rootCA.pem" --key="$(mkcert --CAROOT)/rootCA-key.pem" -n "${namespace}"
+kubectl create secret tls ca-key-pair --cert="$(mkcert --CAROOT)/rootCA.pem" --key="$(mkcert --CAROOT)/rootCA-key.pem" -n cert-manager || true
 
 # Download mongodb certs and append them to the local CA cert
-openssl s_client -showcerts -verify 2 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com </dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' || true
-cat "$(mkcert --CAROOT)/rootCA.pem" cert1.crt cert2.crt cert3.crt cert4.crt >>ca-chain.crt
+openssl s_client -showcerts -verify 2 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com </dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
+cat "$(mkcert --CAROOT)/rootCA.pem" cert1.crt cert2.crt cert3.crt cert4.crt >ca-chain.crt
 
 # Create CA certificates config map from certificate chain
 kubectl create configmap issuer-ca --from-file=mms-ca.crt=ca-chain.crt --from-file=ca-pem=ca-chain.crt -n "${namespace}"
 
-# Crete Issuer for certs
+# Create ClusterIssuer for certs
 cat <<EOF | kubectl -n "${namespace}" apply -f -
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
   name: mongodb-ca-issuer
 spec:
@@ -46,18 +59,10 @@ metadata:
   name: clustercert-${resource}-cert
 spec:
   dnsNames:
-  - ${resource}-svc.mongodb.svc.cluster.local
-  - ${resource}-0-0-svc.mongodb.svc.cluster.local
-  - ${resource}-0-1-svc.mongodb.svc.cluster.local
-  - ${resource}-0-2-svc.mongodb.svc.cluster.local
-  - ${resource}-1-0-svc.mongodb.svc.cluster.local
-  - ${resource}-1-1-svc.mongodb.svc.cluster.local
-  - ${resource}-2-0-svc.mongodb.svc.cluster.local
-  - ${resource}-2-1-svc.mongodb.svc.cluster.local
-  - ${resource}-2-2-svc.mongodb.svc.cluster.local
+  - "*.${namespace}.svc.cluster.local"
   duration: 240h0m0s
   issuerRef:
-    kind: Issuer
+    kind: ClusterIssuer
     name: mongodb-ca-issuer
   renewBefore: 120h0m0s
   secretName: clustercert-${resource}-cert
@@ -80,4 +85,6 @@ spec:
 EOF
 
 # Enable TLS for custom resource
-kubectl -n "${namespace}" patch mdbm "${resource}" --type=json -p='[{"op": "add", "path": "/spec/security", "value": {"certsSecretPrefix": "clustercert", "tls": {"ca": "issuer-ca"}}}]'
+kubectl -n "${namespace}" patch mdbm "${resource}" --type=json -p='[{"op": "add", "path": "/spec/security", "value": {"certsSecretPrefix": "clustercert", "tls": {"ca": "issuer-ca"}}}]' || {
+  echo "Couldn't enable TLS in MongoDBMultiCluster resource ${resource}"
+}