diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig
index daaee438a38..dab5ef4215d 100644
--- a/modules/mbedtls/Kconfig
+++ b/modules/mbedtls/Kconfig
@@ -13,6 +13,7 @@ config MBEDTLS_PROMPTLESS
 	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
 	  dependent sub-configurations and thus prevent stuck symbol behavior.
 
+rsource "Kconfig.psa"
 
 menuconfig MBEDTLS
 	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS
diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa
new file mode 100644
index 00000000000..35200a9d2f4
--- /dev/null
+++ b/modules/mbedtls/Kconfig.psa
@@ -0,0 +1,14 @@
+# Copyright (c) 2024 Nordic Semiconductor ASA
+# SPDX-License-Identifier: Apache-2.0
+
+config MBEDTLS_PSA_CRYPTO_CLIENT
+	bool
+	default y
+	depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C
+
+if MBEDTLS_PSA_CRYPTO_CLIENT
+
+config PSA_WANT_ALG_SHA_256
+	bool "SHA-256 hash algorithm through PSA"
+
+endif # MBEDTLS_PSA_CRYPTO_CLIENT
diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
index 18be5b4119e..d33b2de0e4b 100644
--- a/modules/mbedtls/configs/config-tls-generic.h
+++ b/modules/mbedtls/configs/config-tls-generic.h
@@ -496,8 +496,15 @@
 #endif
 
 #if defined(CONFIG_BUILD_WITH_TFM)
-#define MBEDTLS_PSA_CRYPTO_CLIENT
 #undef MBEDTLS_PSA_CRYPTO_C
 #endif /* CONFIG_BUILD_WITH_TFM */
 
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT)
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+#endif
+
+#if defined(CONFIG_PSA_WANT_ALG_SHA_256)
+#define PSA_WANT_ALG_SHA_256 1
+#endif
+
 #endif /* MBEDTLS_CONFIG_H */