diff --git a/core/pkg/ingress/controller/annotations.go b/core/pkg/ingress/controller/annotations.go
index 601269ee6..47f0a9acf 100644
--- a/core/pkg/ingress/controller/annotations.go
+++ b/core/pkg/ingress/controller/annotations.go
@@ -17,13 +17,8 @@ limitations under the License.
 package controller
 
 import (
-	"fmt"
-
 	"github.com/golang/glog"
-
-	api "k8s.io/client-go/pkg/api/v1"
 	extensions "k8s.io/client-go/pkg/apis/extensions/v1beta1"
-
 	"k8s.io/ingress/core/pkg/ingress/annotations/auth"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
@@ -134,17 +129,3 @@ func (e *annotationExtractor) SessionAffinity(ing *extensions.Ingress) *sessiona
 	val, _ := e.annotations[sessionAffinity].Parse(ing)
 	return val.(*sessionaffinity.AffinityConfig)
 }
-
-func (e *annotationExtractor) ContainsCertificateAuth(ing *extensions.Ingress) bool {
-	val, _ := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
-	return val != ""
-}
-
-func (e *annotationExtractor) CertificateAuthSecret(ing *extensions.Ingress) (*api.Secret, error) {
-	val, _ := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
-	if val == "" {
-		return nil, fmt.Errorf("ingress rule %v/%v does not contain the auth-tls-secret annotation", ing.Namespace, ing.Name)
-	}
-
-	return e.secretResolver.GetSecret(val)
-}
diff --git a/core/pkg/ingress/controller/annotations_test.go b/core/pkg/ingress/controller/annotations_test.go
index 51b91831b..0da4458ab 100644
--- a/core/pkg/ingress/controller/annotations_test.go
+++ b/core/pkg/ingress/controller/annotations_test.go
@@ -264,79 +264,3 @@ func TestAffinitySession(t *testing.T) {
 		}
 	}
 }
-
-func TestContainsCertificateAuth(t *testing.T) {
-	ec := newAnnotationExtractor(mockCfg{})
-
-	foos := []struct {
-		name        string
-		annotations map[string]string
-		result      bool
-	}{
-		{"nil_annotations", nil, false},
-		{"empty_annotations", map[string]string{}, false},
-		{"not_exist_annotations", map[string]string{annotationAffinityType: "cookie"}, false},
-		{"exist_annotations", map[string]string{annotationAuthTlsSecret: "default/foo_secret"}, true},
-	}
-
-	for _, foo := range foos {
-		t.Run(foo.name, func(t *testing.T) {
-			ing := buildIngress()
-			ing.SetAnnotations(foo.annotations)
-			r := ec.ContainsCertificateAuth(ing)
-			if r != foo.result {
-				t.Errorf("Returned %t but expected %t for %s", r, foo.result, foo.name)
-			}
-		})
-	}
-}
-
-func TestCertificateAuthSecret(t *testing.T) {
-	resolver := mockCfg{}
-	resolver.MockSecrets = map[string]*api.Secret{
-		"default/foo_secret": {
-			ObjectMeta: meta_v1.ObjectMeta{
-				Name: "foo_secret_name",
-			},
-		},
-	}
-	ec := newAnnotationExtractor(resolver)
-
-	foos := []struct {
-		name        string
-		annotations map[string]string
-		eerr        bool
-		ename       string
-	}{
-		{"nil_annotations", nil, true, ""},
-		{"empty_annotations", map[string]string{}, true, ""},
-		{"not_exist_annotations", map[string]string{annotationAffinityType: "cookie"}, true, ""},
-		{"exist_annotations", map[string]string{annotationAuthTlsSecret: "default/foo_secret"}, false, "foo_secret_name"},
-	}
-
-	for _, foo := range foos {
-		t.Run(foo.name, func(t *testing.T) {
-			ing := buildIngress()
-			ing.SetAnnotations(foo.annotations)
-			r, err := ec.CertificateAuthSecret(ing)
-
-			if foo.eerr {
-				if err == nil {
-					t.Fatalf("Exepected error for %s", foo.name)
-				}
-			} else {
-				if err != nil {
-					t.Fatalf("Unexpected error %v for %s", err, foo.name)
-				}
-
-				rname := ""
-				if r != nil {
-					rname = r.GetName()
-				}
-				if rname != foo.ename {
-					t.Errorf("Returned %s but expected %s for %s", rname, foo.ename, foo.name)
-				}
-			}
-		})
-	}
-}
diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go
index 096c01ddb..328c6b42e 100644
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@@ -713,6 +713,10 @@ func (ic *GenericController) getBackendServers() ([]*ingress.Backend, []*ingress
 
 // GetAuthCertificate ...
 func (ic GenericController) GetAuthCertificate(secretName string) (*resolver.AuthSSLCert, error) {
+	if _, exists := ic.secretTracker.Get(secretName); !exists {
+		ic.secretTracker.Add(secretName, secretName)
+	}
+
 	_, err := ic.GetSecret(secretName)
 	if err != nil {
 		return &resolver.AuthSSLCert{}, fmt.Errorf("unexpected error: %v", err)
@@ -1114,16 +1118,6 @@ func (ic *GenericController) getEndpoints(
 
 // extractSecretNames extracts information about secrets inside the Ingress rule
 func (ic GenericController) extractSecretNames(ing *extensions.Ingress) {
-	if ic.annotations.ContainsCertificateAuth(ing) {
-		key, _ := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
-		if key != "" {
-			_, exists := ic.secretTracker.Get(key)
-			if !exists {
-				ic.secretTracker.Add(key, key)
-			}
-		}
-	}
-
 	for _, tls := range ing.Spec.TLS {
 		if tls.SecretName == "" {
 			continue