diff --git a/design/20190708.certificate-request-crd.md b/design/20190708.certificate-request-crd.md
index 7e883a10a..ddcbc1f7a 100644
--- a/design/20190708.certificate-request-crd.md
+++ b/design/20190708.certificate-request-crd.md
@@ -11,7 +11,7 @@ approvers:
   - "@munnerz"
 editor: "@joshvanl"
 creation-date: 2019-07-08
-last-updated: 2019-07-09
+last-updated: 2019-08-01
 status: implementable
 ---
 
@@ -206,6 +206,17 @@ ownership of the default pool of issuers in the cert-manager project.
 Until the mutating webhook is fully implemented, we will handle defaulting
 internally in the controller.
 
+### CertificateRequest Annotations
+In order for `CertificateRequest` controllers to resolve requests, extra
+information may be needed that is not present in the API Spec. To pass on this
+information, a set of one or more annotations should be defined, with reliable
+value pairs. These are;
+
+- `certmanager.k8s.io/private-key-secret-name`: The name of the secret, in the
+  same namespace as the `CertificateRequest`, that stores the private key which
+  was used to sign the x509 certificate signing request. This is required by the
+ `SelfSigning` issuer to sign its own certificate.
+
 ### Test Plan
 
 Standard unit and end-to-end tests will be used to verify new behaviour, as used