diff --git a/samples/net/sockets/echo_server/CMakeLists.txt b/samples/net/sockets/echo_server/CMakeLists.txt
index 3237e2a9658..5764048adc3 100644
--- a/samples/net/sockets/echo_server/CMakeLists.txt
+++ b/samples/net/sockets/echo_server/CMakeLists.txt
@@ -27,6 +27,9 @@ include($ENV{ZEPHYR_BASE}/samples/net/common/common.cmake)
 set(gen_dir ${ZEPHYR_BINARY_DIR}/include/generated/)
 
 foreach(inc_file
+	ca.der
+	server.der
+	server_privkey.der
 	echo-apps-cert.der
 	echo-apps-key.der
     )
diff --git a/samples/net/sockets/echo_server/Kconfig b/samples/net/sockets/echo_server/Kconfig
index 5e28415fb0d..58c91424f83 100644
--- a/samples/net/sockets/echo_server/Kconfig
+++ b/samples/net/sockets/echo_server/Kconfig
@@ -58,4 +58,11 @@ config NET_SAMPLE_PSK_HEADER_FILE
 	  Name of a header file containing a
 	  pre-shared key.
 
+config NET_SAMPLE_CERTS_WITH_SC
+	bool "Signed certificates"
+	depends on NET_SOCKETS_SOCKOPT_TLS
+	help
+	  Enable this flag, if you are interested to run this
+	  application with signed certificates and keys.
+
 source "Kconfig.zephyr"
diff --git a/samples/net/sockets/echo_server/src/ca.der b/samples/net/sockets/echo_server/src/ca.der
new file mode 100644
index 00000000000..b1d3e097cad
Binary files /dev/null and b/samples/net/sockets/echo_server/src/ca.der differ
diff --git a/samples/net/sockets/echo_server/src/certificate.h b/samples/net/sockets/echo_server/src/certificate.h
index eb6fd741d1d..0d70f4326aa 100644
--- a/samples/net/sockets/echo_server/src/certificate.h
+++ b/samples/net/sockets/echo_server/src/certificate.h
@@ -10,6 +10,7 @@
 #define SERVER_CERTIFICATE_TAG 1
 #define PSK_TAG 2
 
+#if !defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC)
 static const unsigned char server_certificate[] = {
 #include "echo-apps-cert.der.inc"
 };
@@ -19,6 +20,22 @@ static const unsigned char private_key[] = {
 #include "echo-apps-key.der.inc"
 };
 
+#else
+
+static const unsigned char ca_certificate[] = {
+#include "ca.der.inc"
+};
+
+static const unsigned char server_certificate[] = {
+#include "server.der.inc"
+};
+
+/* This is the private key in pkcs#8 format. */
+static const unsigned char private_key[] = {
+#include "server_privkey.der.inc"
+};
+#endif
+
 #if defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
 #include CONFIG_NET_SAMPLE_PSK_HEADER_FILE
 #endif
diff --git a/samples/net/sockets/echo_server/src/echo-server.c b/samples/net/sockets/echo_server/src/echo-server.c
index 601bb083b89..0049d0f9dda 100644
--- a/samples/net/sockets/echo_server/src/echo-server.c
+++ b/samples/net/sockets/echo_server/src/echo-server.c
@@ -41,15 +41,29 @@ void quit(void)
 
 static void init_app(void)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) || \
+	defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+	int err;
+#endif
 	k_sem_init(&quit_lock, 0, UINT_MAX);
 
 	LOG_INF(APP_BANNER);
 
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
-	int err = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				     TLS_CREDENTIAL_SERVER_CERTIFICATE,
-				     server_certificate,
-				     sizeof(server_certificate));
+#if defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC)
+	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
+				 TLS_CREDENTIAL_CA_CERTIFICATE,
+				 ca_certificate,
+				 sizeof(ca_certificate));
+	if (err < 0) {
+		LOG_ERR("Failed to register CA certificate: %d", err);
+	}
+#endif
+
+	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
+				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				 server_certificate,
+				 sizeof(server_certificate));
 	if (err < 0) {
 		LOG_ERR("Failed to register public certificate: %d", err);
 	}
diff --git a/samples/net/sockets/echo_server/src/server.der b/samples/net/sockets/echo_server/src/server.der
new file mode 100644
index 00000000000..2b664a4bdb2
Binary files /dev/null and b/samples/net/sockets/echo_server/src/server.der differ
diff --git a/samples/net/sockets/echo_server/src/server_privkey.der b/samples/net/sockets/echo_server/src/server_privkey.der
new file mode 100644
index 00000000000..2269293fe79
Binary files /dev/null and b/samples/net/sockets/echo_server/src/server_privkey.der differ