diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go
index 9ea95ab18..b02138e9f 100644
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@@ -190,6 +190,9 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 			DefaultACMEIssuerChallengeType:     opts.DefaultACMEIssuerChallengeType,
 			DefaultACMEIssuerDNS01ProviderName: opts.DefaultACMEIssuerDNS01ProviderName,
 		},
+		CertificateOptions: controller.CertificateOptions{
+			EnableOwnerRef: opts.EnableCertificateOwnerRef,
+		},
 	}, kubeCfg, nil
 }
 
diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go
index 6a5df3178..0c877d8b2 100644
--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@@ -65,6 +65,8 @@ type ControllerOptions struct {
 
 	// DNS01Nameservers allows specifying a list of custom nameservers to perform DNS checks
 	DNS01Nameservers []string
+
+	EnableCertificateOwnerRef bool
 }
 
 const (
@@ -85,6 +87,7 @@ const (
 	defaultTLSACMEIssuerKind           = "Issuer"
 	defaultACMEIssuerChallengeType     = "http01"
 	defaultACMEIssuerDNS01ProviderName = ""
+	defaultEnableCertificateOwnerRef   = false
 )
 
 var (
@@ -126,6 +129,7 @@ func NewControllerOptions() *ControllerOptions {
 		DefaultACMEIssuerChallengeType:     defaultACMEIssuerChallengeType,
 		DefaultACMEIssuerDNS01ProviderName: defaultACMEIssuerDNS01ProviderName,
 		DNS01Nameservers:                   []string{},
+		EnableCertificateOwnerRef:          defaultEnableCertificateOwnerRef,
 	}
 }
 
@@ -201,6 +205,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&s.DNS01Nameservers, "dns01-self-check-nameservers", []string{}, ""+
 		"A list of comma seperated DNS server endpoints used for DNS01 check requests. "+
 		"This should be a list containing IP address and port, for example: 8.8.8.8:53,8.8.4.4:53")
+	fs.BoolVar(&s.EnableCertificateOwnerRef, "enable-certificate-owner-ref", defaultEnableCertificateOwnerRef, ""+
+		"Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+
+		"When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.")
 }
 
 func (o *ControllerOptions) Validate() error {
diff --git a/pkg/apis/certmanager/v1alpha1/types.go b/pkg/apis/certmanager/v1alpha1/types.go
index 584ff50d7..8d80ced45 100644
--- a/pkg/apis/certmanager/v1alpha1/types.go
+++ b/pkg/apis/certmanager/v1alpha1/types.go
@@ -59,6 +59,7 @@ type ObjectReference struct {
 const (
 	ClusterIssuerKind = "ClusterIssuer"
 	IssuerKind        = "Issuer"
+	CertificateKind   = "Certificate"
 )
 
 type SecretKeySelector struct {
diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index 34a72b66d..ddfb5545e 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -253,6 +253,17 @@ func issuerKind(crt *v1alpha1.Certificate) string {
 	}
 }
 
+func ownerRef(crt *v1alpha1.Certificate) metav1.OwnerReference {
+	controller := true
+	return metav1.OwnerReference{
+		APIVersion: v1alpha1.SchemeGroupVersion.String(),
+		Kind:       v1alpha1.CertificateKind,
+		Name:       crt.Name,
+		UID:        crt.UID,
+		Controller: &controller,
+	}
+}
+
 func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, cert, key, ca []byte) (*api.Secret, error) {
 	secret, err := c.Client.CoreV1().Secrets(namespace).Get(crt.Spec.SecretName, metav1.GetOptions{})
 	if err != nil && !k8sErrors.IsNotFound(err) {
@@ -299,6 +310,10 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c
 
 	// if it is a new resource
 	if secret.SelfLink == "" {
+		enableOwner := c.CertificateOptions.EnableOwnerRef
+		if enableOwner {
+			secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
+		}
 		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
 	} else {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret)
diff --git a/pkg/controller/context.go b/pkg/controller/context.go
index b23d4fcaa..979ada761 100644
--- a/pkg/controller/context.go
+++ b/pkg/controller/context.go
@@ -50,6 +50,7 @@ type Context struct {
 	IssuerOptions
 	ACMEOptions
 	IngressShimOptions
+	CertificateOptions
 }
 
 func (c *Context) IssuerFactory() IssuerFactory {
@@ -106,3 +107,9 @@ type IngressShimOptions struct {
 	DefaultACMEIssuerDNS01ProviderName string
 	DefaultAutoCertificateAnnotations  []string
 }
+
+type CertificateOptions struct {
+	// EnableOwnerRef controls wheter wheter the certificate is configured as an owner of
+	// secret where the effective TLS certificate is stored.
+	EnableOwnerRef bool
+}