diff --git a/make_global.py b/make_global.py
--- a/make_global.py
+++ b/make_global.py
@@ -5,22 +5,27 @@ import subprocess
 import sys
 import time
 
+POM_CERT_NAME = 'pomerium-proxy-tls'
+AUTH_HOST = 'authenticate2.bigasterisk.com'
 
-def getSuffixedName() -> str:
-    ns = 'pomerium'
+(phase,) = sys.argv[1:]
+
+
+def secretExists(qname):
+    ns, localName = qname.split('/')
     j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
     for item in j['items']:
         name = item['metadata']['name']
-        if name.startswith('pomerium-proxy-tls'):
-            return ns + '/' + name
+        if name == localName:
+            return
     raise ValueError()
 
 
-def retryGetSuffixedName() -> str:
-    sys.stderr.write("\nwait for secret: ")
+def waitForSecret(qname):
+    sys.stderr.write(f"\nwait for secret {qname}: ")
     for tries in range(100):
         try:
-            return getSuffixedName()
+            return secretExists(qname)
         except ValueError:
             sys.stderr.write('.')
             sys.stderr.flush()
@@ -28,37 +33,47 @@ def retryGetSuffixedName() -> str:
     else:
         raise ValueError
 
+def pomeriumGlobalConfig():
 
-config = {
-    'apiVersion': "ingress.pomerium.io/v1",
-    'kind': "Pomerium",
-    'metadata': {
-        'name': "global"
-    },
-    'spec': {
-        'secrets': "pomerium/bootstrap",
-        'authenticate': {
-            'url': "https://authenticate.bigasterisk.com"
-        },
-        'cookie': {
-            'expire': "20h"
+    config = {
+        'apiVersion': "ingress.pomerium.io/v1",
+        'kind': "Pomerium",
+        'metadata': {
+            'name': "global"
         },
-        'identityProvider': {
-            'provider': "oidc",
-            'url': "https://accounts.google.com",
-            'scopes': [
-                "openid",
-                "email",
-                "profile"  # adds name+locale to user details
-            ],
-            'secret': "pomerium/idp"
-        },
-#        'storage': {
-#            'postgres': {
-#                'secret': "pomerium/postgres-connection-key"
-#            }
-#        },
+        'spec': {
+            'secrets': "pomerium/bootstrap",
+            'authenticate': {
+                'url': f"https://{AUTH_HOST}"
+            },
+            'cookie': {
+                'expire': "20h"
+            },
+            'identityProvider': {
+                'provider': "oidc",
+                'url': "https://accounts.google.com",
+                'scopes': [
+                    "openid",
+                    "email",
+                    "profile"  # adds name+locale to user details
+                ],
+                'secret': "pomerium/idp"
+            },
+            #        'storage': {
+            #            'postgres': {
+            #                'secret': "pomerium/postgres-connection-key"
+            #            }
+            #        },
+        }
     }
+
+    if phase == 'wait_for_cert':
+        waitForSecret('pomerium/pomerium-proxy-tls')
+        config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}']
+
+    sys.stderr.write('\n')
+    return config
+
 def pomCert():
     return {
   "apiVersion": "cert-manager.io/v1",
@@ -79,14 +94,9 @@ def pomCert():
   }
 }
 
-# Old note: pom won't start up if this cert doesn't exist, so you have to run once
-# with it commented out, then after cert success, run again with it enabled.
+if phase == 'output_pom_cert':
+    output = pomCert()
+else:
+    output = pomeriumGlobalConfig()
 
-config['spec']['certificates'] = [
-    # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
-    'pomerium/pomerium-proxy-tls'
-]
-
-sys.stderr.write('\n')
-
-print(json.dumps(config))
+print(json.dumps(output))