diff --git a/cmd/otk/osbuild-resolve-ostree-commit/main.go b/cmd/otk/osbuild-resolve-ostree-commit/main.go
index 54086240b1..d0ffac8062 100644
--- a/cmd/otk/osbuild-resolve-ostree-commit/main.go
+++ b/cmd/otk/osbuild-resolve-ostree-commit/main.go
@@ -27,6 +27,16 @@ type Input struct {
 
 	// Whether to use RHSM secrets when resolving and fetching the commit.
 	RHSM bool `json:"rhsm,omitempty"`
+
+	// MTLS information. Will be ignored if RHSM is set.
+	MTLS *struct {
+		CA         string `json:"ca"`
+		ClientCert string `json:"client_cert"`
+		ClientKey  string `json:"client_key"`
+	} `json:"mtls,omitempty"`
+
+	// HTTP proxy to use when fetching the ref.
+	Proxy string `json:"proxy,omitempty"`
 }
 
 // Output contains everything needed to write a manifest that requires pulling
@@ -50,9 +60,17 @@ func run(r io.Reader, w io.Writer) error {
 	}
 
 	sourceSpec := ostree.SourceSpec{
-		URL:  inputTree.Tree.URL,
-		Ref:  inputTree.Tree.Ref,
-		RHSM: inputTree.Tree.RHSM,
+		URL:   inputTree.Tree.URL,
+		Ref:   inputTree.Tree.Ref,
+		RHSM:  inputTree.Tree.RHSM,
+		Proxy: inputTree.Tree.Proxy,
+	}
+
+	if inputTree.Tree.MTLS != nil {
+		sourceSpec.MTLS = &ostree.MTLS{}
+		sourceSpec.MTLS.CA = inputTree.Tree.MTLS.CA
+		sourceSpec.MTLS.ClientCert = inputTree.Tree.MTLS.ClientCert
+		sourceSpec.MTLS.ClientKey = inputTree.Tree.MTLS.ClientKey
 	}
 
 	var commitSpec ostree.CommitSpec
diff --git a/cmd/otk/osbuild-resolve-ostree-commit/main_test.go b/cmd/otk/osbuild-resolve-ostree-commit/main_test.go
index 72bb8ed38b..8d80b3f4ab 100644
--- a/cmd/otk/osbuild-resolve-ostree-commit/main_test.go
+++ b/cmd/otk/osbuild-resolve-ostree-commit/main_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	resolver "github.com/osbuild/images/cmd/otk/osbuild-resolve-ostree-commit"
+	"github.com/osbuild/images/pkg/ostree/test_mtls_server"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -22,9 +23,30 @@ var commitMap = map[string]string{
 	"test/ref/one":         "7433e1b49fb136d61dcca49ebe34e713fdbb8e29bf328fe90819628f71b86105",
 }
 
+const TestCertDir = "../../../pkg/ostree/test_mtls_server"
+
 // Create a test server that responds with the commit ID that corresponds to
 // the ref.
 func createTestServer(refIDs map[string]string) *httptest.Server {
+	handler := createTestHandler(refIDs)
+
+	return httptest.NewServer(handler)
+}
+
+// Create a test server that responds with the commit ID that corresponds to
+// the ref. MTLS variant.
+func createMTLSTestServer(refIDs map[string]string) *httptest.Server {
+	handler := createTestHandler(refIDs)
+
+	mtlss, err := test_mtls_server.NewMTLSServerInPath(handler, TestCertDir)
+	if err != nil {
+		panic(err)
+	}
+
+	return mtlss.Server
+}
+
+func createTestHandler(refIDs map[string]string) *http.ServeMux {
 	handler := http.NewServeMux()
 	handler.HandleFunc("/refs/heads/", func(w http.ResponseWriter, r *http.Request) {
 		reqRef := strings.TrimPrefix(r.URL.Path, "/refs/heads/")
@@ -36,7 +58,7 @@ func createTestServer(refIDs map[string]string) *httptest.Server {
 		fmt.Fprint(w, id)
 	})
 
-	return httptest.NewServer(handler)
+	return handler
 }
 
 func TestResolver(t *testing.T) {
@@ -77,6 +99,50 @@ func TestResolver(t *testing.T) {
 	}
 }
 
+func TestResolverMTLS(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+
+	repoServer := createMTLSTestServer(commitMap)
+	defer repoServer.Close()
+
+	url := repoServer.URL
+	for ref, id := range commitMap {
+		inputReq, err := json.Marshal(map[string]interface{}{
+			"tree": map[string]interface{}{
+				"url": url,
+				"ref": ref,
+				"mtls": map[string]string{
+					"ca":          fmt.Sprintf("%s/ca.crt", TestCertDir),
+					"client_cert": fmt.Sprintf("%s/client.crt", TestCertDir),
+					"client_key":  fmt.Sprintf("%s/client.key", TestCertDir),
+				},
+			},
+		})
+		require.NoError(err)
+
+		inpBuf := bytes.NewBuffer(inputReq)
+		outBuf := &bytes.Buffer{}
+
+		assert.NoError(resolver.Run(inpBuf, outBuf))
+
+		var output map[string]map[string]map[string]string
+		require.NoError(json.Unmarshal(outBuf.Bytes(), &output))
+
+		expOutput := map[string]map[string]map[string]string{
+			"tree": {
+				"const": {
+					"url":      url,
+					"ref":      ref,
+					"checksum": id,
+					"secrets":  "org.osbuild.mtls",
+				},
+			},
+		}
+		assert.Equal(expOutput, output)
+	}
+}
+
 func TestResolverByID(t *testing.T) {
 	require := require.New(t)
 	assert := assert.New(t)
diff --git a/pkg/ostree/test_mtls_server/http_mtls_server.go b/pkg/ostree/test_mtls_server/http_mtls_server.go
index 0a745734fe..3c31f40c49 100644
--- a/pkg/ostree/test_mtls_server/http_mtls_server.go
+++ b/pkg/ostree/test_mtls_server/http_mtls_server.go
@@ -24,6 +24,10 @@ func NewMTLSServer(handler http.Handler) (*MTLSServer, error) {
 		return nil, err
 	}
 
+	return NewMTLSServerInPath(handler, certsPath)
+}
+
+func NewMTLSServerInPath(handler http.Handler, certsPath string) (*MTLSServer, error) {
 	caPath := filepath.Join(certsPath, "ca.crt")
 	serverKeyPath := filepath.Join(certsPath, "server.key")
 	serverCrtPath := filepath.Join(certsPath, "server.crt")