diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic
index d75abd64be2..b55111a5599 100644
--- a/modules/mbedtls/Kconfig.tls-generic
+++ b/modules/mbedtls/Kconfig.tls-generic
@@ -460,10 +460,30 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 	  which ensures that master secrets are different for every
 	  connection and every session.
 
+choice MBEDTLS_PSA_CRYPTO_RND_SOURCE
+	prompt "Select random source for built-in PSA crypto"
+	default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
+
+config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+	bool "Use a cryptographically secure driver as random source"
+	depends on CSPRNG_ENABLED
+	help
+	  Use cryptographically secure random generator to provide random data
+	  instead of legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG).
+
+config MBEDTLS_PSA_CRYPTO_LEGACY_RNG
+	bool "Use legacy modules to generate random data"
+	select MBEDTLS_ENTROPY_ENABLED
+	select MBEDTLS_CTR_DRBG_ENABLED if !MBEDTLS_HMAC_DRBG_ENABLED
+	help
+	  Use legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG) as random
+	  source generators.
+
+endchoice
+
 config MBEDTLS_PSA_CRYPTO_C
 	bool "Platform Security Architecture cryptography API"
-	depends on MBEDTLS_ENTROPY_ENABLED
-	depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED
+	depends on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG || MBEDTLS_PSA_CRYPTO_LEGACY_RNG
 	default y if UOSCORE || UEDHOC
 
 config MBEDTLS_LMS
diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
index d33b2de0e4b..6febce2c60d 100644
--- a/modules/mbedtls/configs/config-tls-generic.h
+++ b/modules/mbedtls/configs/config-tls-generic.h
@@ -468,6 +468,10 @@
 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 #endif
 
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+#endif
+
 #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
 #define MBEDTLS_PSA_CRYPTO_C
 #define MBEDTLS_USE_PSA_CRYPTO
diff --git a/modules/mbedtls/zephyr_init.c b/modules/mbedtls/zephyr_init.c
index 28a6a40fdc5..78602e497e3 100644
--- a/modules/mbedtls/zephyr_init.c
+++ b/modules/mbedtls/zephyr_init.c
@@ -115,3 +115,26 @@ mbedtls_ms_time_t mbedtls_ms_time(void)
 {
 	return (mbedtls_ms_time_t)k_uptime_get();
 }
+
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/* MBEDTLS_PSA_CRYPTO_C requires a random generator to work and this can
+ * be achieved through either legacy MbedTLS modules
+ * (ENTROPY + CTR_DRBG/HMAC_DRBG) or provided externally by enabling the
+ * CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. In the latter case the following
+ * callback functions needs to be defined.
+ */
+psa_status_t mbedtls_psa_external_get_random(
+	mbedtls_psa_external_random_context_t *context,
+	uint8_t *output, size_t output_size, size_t *output_length)
+{
+	(void) context;
+
+	if (sys_csrand_get(output, output_size) != 0) {
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	*output_length = output_size;
+
+	return PSA_SUCCESS;
+}
+#endif