diff --git a/controllers/gce/controller/utils.go b/controllers/gce/controller/utils.go
index 05379d2a1..1d0b7bf56 100644
--- a/controllers/gce/controller/utils.go
+++ b/controllers/gce/controller/utils.go
@@ -52,6 +52,13 @@ const (
 	// responsibility to create/delete it.
 	staticIPNameKey = "kubernetes.io/ingress.global-static-ip-name"
 
+	// preSharedCertKey represents the specific pre-shared SSL
+	// certicate for the Ingress controller to use. The controller *does not*
+	// manage this certificate, it is the users responsibility to create/delete it.
+	// In GCP, the Ingress controller assigns the SSL certificate with this name
+	// to the target proxies of the Ingress.
+	preSharedCertKey = "ingress.gcp.kubernetes.io/pre-shared-cert"
+
 	// ingressClassKey picks a specific "class" for the Ingress. The controller
 	// only processes Ingresses with this annotation either unset, or set
 	// to either gceIngessClass or the empty string.
@@ -82,7 +89,7 @@ func (ing ingAnnotations) allowHTTP() bool {
 // useNamedTLS returns the name of the GCE SSL certificate. Empty by default.
 // TODO: naming this (ie: external-ssl-cert)
 func (ing ingAnnotations) useNamedTLS() string {
-	val, ok := ing[extensions.IngressPreSharedCertAnnotationKey]
+	val, ok := ing[preSharedCertKey]
 	if !ok {
 		return ""
 	}