diff --git a/cmd/tk/create_source_git.go b/cmd/tk/create_source_git.go
index 929f39f3c8a5deb4a79cd35d191414d8f3e5ae88..8121a19f6922d46f8e5c34f1c120362164628ecd 100644
--- a/cmd/tk/create_source_git.go
+++ b/cmd/tk/create_source_git.go
@@ -2,12 +2,10 @@ package main
 
 import (
 	"context"
-	"crypto/elliptic"
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
-	"strings"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
 	"github.com/manifoldco/promptui"
@@ -65,8 +63,9 @@ var (
 	sourceGitSemver       string
 	sourceGitUsername     string
 	sourceGitPassword     string
-	sourceGitKeyAlgorithm string
-	sourceGitRSABits      int
+	sourceGitKeyAlgorithm PublicKeyAlgorithm
+	sourceGitRSABits      RSAKeyBits
+	sourceGitECDSACurve   ECDSACurve
 )
 
 func init() {
@@ -76,8 +75,9 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitSemver, "tag-semver", "", "git tag semver range")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitUsername, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitPassword, "password", "p", "", "basic authentication password")
-	createSourceGitCmd.Flags().StringVarP(&sourceGitKeyAlgorithm, "ssh-algorithm", "", "rsa", "SSH public key algorithm")
-	createSourceGitCmd.Flags().IntVarP(&sourceGitRSABits, "ssh-rsa-bits", "", 2048, "SSH RSA public key bit size")
+	createSourceGitCmd.Flags().Var(&sourceGitKeyAlgorithm, "ssh-algorithm", "SSH public key algorithm")
+	createSourceGitCmd.Flags().Var(&sourceGitRSABits, "ssh-rsa-bits", "SSH RSA public key bit size")
+	createSourceGitCmd.Flags().Var(&sourceGitECDSACurve, "ssh-ecdsa-curve", "SSH ECDSA public key curve")
 
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -109,12 +109,11 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	withAuth := false
 	if u.Scheme == "ssh" {
 		var keyGen ssh.KeyPairGenerator
-		switch strings.ToLower(sourceGitKeyAlgorithm) {
+		switch sourceGitKeyAlgorithm.String() {
 		case "rsa":
-			keyGen = ssh.NewRSAGenerator(sourceGitRSABits)
+			keyGen = ssh.NewRSAGenerator(int(sourceGitRSABits))
 		case "ecdsa":
-			// TODO(hidde): make curve configurable by flag
-			keyGen = ssh.NewECDSAGenerator(elliptic.P521())
+			keyGen = ssh.NewECDSAGenerator(sourceGitECDSACurve.Curve)
 		}
 		host := u.Host
 		if u.Port() == "" {
@@ -230,15 +229,16 @@ func generateSSH(ctx context.Context, generator ssh.KeyPairGenerator, name, host
 	}
 
 	logAction("collecting SSH server public key for generated public key algorithm")
-	serverKey, err := ssh.ScanHostKey(host, user, kp)
+	hostKey, err := ssh.ScanHostKey(host, user, kp)
 	if err != nil {
 		return err
 	}
 	logSuccess("collected public key from SSH server")
+	fmt.Printf("%s", hostKey)
 
 	logAction("saving keys")
 	files := fmt.Sprintf("--from-literal=identity=\"%s\" --from-literal=identity.pub=\"%s\" --from-literal=known_hosts=\"%s\"",
-		kp.PublicKey, kp.PrivateKey, serverKey)
+		kp.PublicKey, kp.PrivateKey, hostKey)
 	secret := fmt.Sprintf("kubectl -n %s create secret generic %s %s --dry-run=client -oyaml | kubectl apply -f-",
 		namespace, name, files)
 	if _, err := utils.execCommand(ctx, ModeOS, secret); err != nil {
diff --git a/cmd/tk/flags.go b/cmd/tk/flags.go
new file mode 100644
index 0000000000000000000000000000000000000000..f91e729c2fc5b2744c2d48756575a0fd31fa6acb
--- /dev/null
+++ b/cmd/tk/flags.go
@@ -0,0 +1,101 @@
+package main
+
+import (
+	"crypto/elliptic"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+var supportedPublicKeyAlgorithms = []string{"rsa", "ecdsa"}
+
+type PublicKeyAlgorithm string
+
+func (a *PublicKeyAlgorithm) String() string {
+	return string(*a)
+}
+
+func (a *PublicKeyAlgorithm) Set(str string) error {
+	if strings.TrimSpace(str) == "" {
+		*a = PublicKeyAlgorithm(supportedPublicKeyAlgorithms[0])
+		return nil
+	}
+	for _, v := range supportedPublicKeyAlgorithms {
+		if str == v {
+			*a = PublicKeyAlgorithm(str)
+			return nil
+		}
+	}
+	return fmt.Errorf(
+		"unsupported public key algorithm '%s', must be one of: %s",
+		str,
+		strings.Join(supportedPublicKeyAlgorithms, ", "),
+	)
+}
+
+func (a *PublicKeyAlgorithm) Type() string {
+	return "publicKeyAlgorithm"
+}
+
+var defaultRSAKeyBits = 2048
+
+type RSAKeyBits int
+
+func (b *RSAKeyBits) String() string {
+	return strconv.Itoa(int(*b))
+}
+
+func (b *RSAKeyBits) Set(str string) error {
+	if strings.TrimSpace(str) == "" {
+		*b = RSAKeyBits(defaultRSAKeyBits)
+		return nil
+	}
+	bits, err := strconv.Atoi(str)
+	if err != nil {
+		return err
+	}
+	if bits%8 != 0 {
+		return fmt.Errorf("RSA key bit size should be a multiples of 8")
+	}
+	*b = RSAKeyBits(bits)
+	return nil
+}
+
+func (b *RSAKeyBits) Type() string {
+	return "rsaKeyBits"
+}
+
+type ECDSACurve struct {
+	elliptic.Curve
+}
+
+var supportedECDSACurves = map[string]elliptic.Curve{
+	"P-256": elliptic.P256(),
+	"P-384": elliptic.P384(),
+	"P-521": elliptic.P521(),
+}
+
+func (c *ECDSACurve) String() string {
+	if c == nil || c.Curve == nil {
+		return ""
+	}
+	return c.Curve.Params().Name
+}
+
+func (c *ECDSACurve) Set(str string) error {
+	if strings.TrimSpace(str) == "" {
+		*c = ECDSACurve{supportedECDSACurves["P-384"]}
+		return nil
+	}
+	for k, v := range supportedECDSACurves {
+		if k == str {
+			*c = ECDSACurve{v}
+			return nil
+		}
+	}
+	return fmt.Errorf("unsupported curve '%s', should be one of: P-256, P-384, P-521", str)
+}
+
+func (c *ECDSACurve) Type() string {
+	return "ecdsaCurve"
+}