diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index b8ee41a423..07641cb3e8 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -694,7 +694,8 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
         key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
                              mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) &&
-                            mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg, pk_usage));
+                            mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg,
+                                                  PSA_KEY_USAGE_VERIFY_HASH));
 #else
         key_type_matches = (
             mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage));
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 8b60a7b30e..982e6f8c3b 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1161,7 +1161,7 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
                     *sig_alg, &key_cert->cert->pk)
                 && psa_alg != PSA_ALG_NONE &&
                 mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg,
-                                      PSA_KEY_USAGE_SIGN_HASH) == 1
+                                      PSA_KEY_USAGE_VERIFY_HASH) == 1
                 ) {
                 ssl->handshake->key_cert = key_cert;
                 MBEDTLS_SSL_DEBUG_MSG(3,