diff --git a/cmd/otk/osbuild-resolve-ostree-commit/main.go b/cmd/otk/osbuild-resolve-ostree-commit/main.go
index 54086240b1..b2e140f63d 100644
--- a/cmd/otk/osbuild-resolve-ostree-commit/main.go
+++ b/cmd/otk/osbuild-resolve-ostree-commit/main.go
@@ -27,6 +27,16 @@ type Input struct {
 
 	// Whether to use RHSM secrets when resolving and fetching the commit.
 	RHSM bool `json:"rhsm,omitempty"`
+
+	// MTLS information. Will be ignored if RHSM is set.
+	MTLS *struct {
+		CA         string `json:"ca"`
+		ClientCert string `json:"client_cert"`
+		ClientKey  string `json:"client_key"`
+	} `json:"mtls,omitempty"`
+
+	// HTTP proxy to use when fetching the ref.
+	Proxy string `json:"proxy,omitempty"`
 }
 
 // Output contains everything needed to write a manifest that requires pulling
@@ -53,6 +63,12 @@ func run(r io.Reader, w io.Writer) error {
 		URL:  inputTree.Tree.URL,
 		Ref:  inputTree.Tree.Ref,
 		RHSM: inputTree.Tree.RHSM,
+		MTLS: &ostree.MTLS{
+			CA:         inputTree.Tree.MTLS.CA,
+			ClientCert: inputTree.Tree.MTLS.ClientCert,
+			ClientKey:  inputTree.Tree.MTLS.ClientKey,
+		},
+		Proxy: inputTree.Tree.Proxy,
 	}
 
 	var commitSpec ostree.CommitSpec
diff --git a/pkg/ostree/ostree.go b/pkg/ostree/ostree.go
index 02f762056c..1b7cec0b65 100644
--- a/pkg/ostree/ostree.go
+++ b/pkg/ostree/ostree.go
@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -158,7 +159,7 @@ func resolveRef(ss SourceSpec) (string, error) {
 	if err != nil {
 		return "", NewResolveRefError("error parsing ostree repository location: %v", err)
 	}
-	u.Path = path.Join(u.Path, "refs/heads/", ss.Ref)
+	u.Path = path.Join(u.Path, "refs", "heads", ss.Ref)
 
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	if u.Scheme == "https" {
@@ -190,7 +191,12 @@ func resolveRef(ss SourceSpec) (string, error) {
 	}
 
 	if ss.Proxy != "" {
-		proxyURL, err := url.Parse(ss.URL)
+		host, port, err := net.SplitHostPort(ss.Proxy)
+		if err != nil {
+			return "", NewResolveRefError("error parsing MTLS proxy URL '%s': %v", ss.URL, err)
+		}
+
+		proxyURL, err := url.Parse("http://" + host + ":" + port)
 		if err != nil {
 			return "", NewResolveRefError("error parsing MTLS proxy URL '%s': %v", ss.URL, err)
 		}