diff --git a/cmd/flux/create_image_repository.go b/cmd/flux/create_image_repository.go
index d7f32cbd..36357871 100644
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -38,9 +38,10 @@ An ImageRepository object specifies an image repository to scan.`,
 }
 
 type imageRepoFlags struct {
-	image     string
-	secretRef string
-	timeout   time.Duration
+	image         string
+	secretRef     string
+	certSecretRef string
+	timeout       time.Duration
 }
 
 var imageRepoArgs = imageRepoFlags{}
@@ -49,6 +50,7 @@ func init() {
 	flags := createImageRepositoryCmd.Flags()
 	flags.StringVar(&imageRepoArgs.image, "image", "", "the image repository to scan; e.g., library/alpine")
 	flags.StringVar(&imageRepoArgs.secretRef, "secret-ref", "", "the name of a docker-registry secret to use for credentials")
+	flags.StringVar(&imageRepoArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	// NB there is already a --timeout in the global flags, for
 	// controlling timeout on operations while e.g., creating objects.
 	flags.DurationVar(&imageRepoArgs.timeout, "scan-timeout", 0, "a timeout for scanning; this defaults to the interval if not set")
@@ -94,6 +96,11 @@ func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 			Name: imageRepoArgs.secretRef,
 		}
 	}
+	if imageRepoArgs.certSecretRef != "" {
+		repo.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: imageRepoArgs.certSecretRef,
+		}
+	}
 
 	if createArgs.export {
 		return printExport(exportImageRepository(&repo))