diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index 51bb96291..475883702 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -83,3 +83,8 @@
  */
 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
+
+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index c70773d63..95c40875f 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -110,3 +110,8 @@
  */
 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
+
+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index 36d824510..c032fdc4b 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -85,3 +85,8 @@
 
 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
 #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+
+/* These defines are present so that the config modifying scripts can enable
+ * them during tests/scripts/test-ref-configs.pl */
+//#define MBEDTLS_USE_PSA_CRYPTO
+//#define MBEDTLS_PSA_CRYPTO_C
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index c63b51130..dc0f120e4 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -30,16 +30,20 @@ use strict;
 my %configs = (
     'config-ccm-psk-tls1_2.h' => {
         'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'test_again_with_use_psa' => 1
     },
     'config-no-entropy.h' => {
     },
     'config-suite-b.h' => {
         'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
+        'test_again_with_use_psa' => 1,
     },
     'config-symmetric-only.h' => {
+        'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
     },
     'config-thread.h' => {
         'opt' => '-f ECJPAKE.*nolog',
+        'test_again_with_use_psa' => 1,
     },
 );
 
@@ -79,18 +83,33 @@ if (!-e "tests/seedfile" || -s "tests/seedfile" < 64) {
     close SEEDFILE or die;
 }
 
-while( my ($conf, $data) = each %configs ) {
+sub perform_test {
+    my $conf = $_[0];
+    my $data = $_[1];
+    my $test_with_psa = $_[2];
+
     system( "cp $config_h.bak $config_h" ) and die;
     system( "make clean" ) and die;
 
     print "\n******************************************\n";
     print "* Testing configuration: $conf\n";
+    if ( $test_with_psa )
+    {
+        print "* ENABLING MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO \n";
+    }
     print "******************************************\n";
+
     $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf;
 
     system( "cp configs/$conf $config_h" )
         and abort "Failed to activate $conf\n";
 
+    if ( $test_with_psa )
+    {
+        system( "scripts/config.py set MBEDTLS_PSA_CRYPTO_C" );
+        system( "scripts/config.py set MBEDTLS_USE_PSA_CRYPTO" );
+    }
+
     system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf\n";
     system( "make test" ) and abort "Failed test suite: $conf\n";
 
@@ -119,6 +138,15 @@ while( my ($conf, $data) = each %configs ) {
     }
 }
 
+while( my ($conf, $data) = each %configs ) {
+    my $test_with_psa = $data->{'test_again_with_use_psa'};
+    if ( $test_with_psa )
+    {
+        perform_test( $conf, $data, $test_with_psa );
+    }
+    perform_test( $conf, $data, 0 );
+}
+
 system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
 system( "make clean" );
 exit 0;