diff --git a/cmd/flux/create_source_oci.go b/cmd/flux/create_source_oci.go
index dd2b4fbfec..57d1a4728f 100644
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -56,6 +56,7 @@ type sourceOCIRepositoryFlags struct {
 	digest         string
 	secretRef      string
 	serviceAccount string
+	certSecretRef  string
 	ignorePaths    []string
 }
 
@@ -68,6 +69,7 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
 
 	createSourceCmd.AddCommand(createSourceOCIRepositoryCmd)
@@ -135,6 +137,12 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
+		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: secretName,
+		}
+	}
+
 	if createArgs.export {
 		return printExport(exportOCIRepository(repository))
 	}
diff --git a/cmd/flux/testdata/oci/create_source_oci.golden b/cmd/flux/testdata/oci/create_source_oci.golden
index 9cca413855..fd81b4a7f4 100644
--- a/cmd/flux/testdata/oci/create_source_oci.golden
+++ b/cmd/flux/testdata/oci/create_source_oci.golden
@@ -2,4 +2,4 @@
 ✔ OCIRepository created
 ◎ waiting for OCIRepository reconciliation
 ✔ OCIRepository reconciliation completed
-✔ fetched revision: 3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
+✔ fetched digest: 3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
diff --git a/cmd/flux/testdata/oci/get_oci.golden b/cmd/flux/testdata/oci/get_oci.golden
index f4fa8333ba..3c9558bf70 100644
--- a/cmd/flux/testdata/oci/get_oci.golden
+++ b/cmd/flux/testdata/oci/get_oci.golden
@@ -1,2 +1,2 @@
 NAME 	REVISION                                                        	SUSPENDED	READY	MESSAGE                                                                                         
-thrfg	3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de	False    	True 	stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'	
+thrfg	3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de	False    	True 	stored artifact for digest '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
diff --git a/manifests/bases/source-controller/kustomization.yaml b/manifests/bases/source-controller/kustomization.yaml
index f268590cfa..3b42223df1 100644
--- a/manifests/bases/source-controller/kustomization.yaml
+++ b/manifests/bases/source-controller/kustomization.yaml
@@ -15,4 +15,4 @@ patchesJson6902:
 # TODO: remove the hardcoded image when OCIRepository is released
 images:
   - name: fluxcd/source-controller
-    newTag: oci-ba5f5353
+    newTag: oci-09a9ef44