diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index c02aeeaa08..ec4446c1b4 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3325,6 +3325,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
         ssl->handshake->ciphersuite_info;
     mbedtls_pk_context *peer_pk;
+    psa_algorithm_t psa_sig_alg;
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
 
@@ -3422,9 +3423,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
     /*
      * Check the certificate's key type matches the signature alg
      */
-    if (!mbedtls_pk_can_do_psa(peer_pk,
-                               mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH),
-                               PSA_KEY_USAGE_VERIFY_HASH)) {
+    psa_sig_alg = mbedtls_psa_alg_from_pk_sigalg(pk_alg, mbedtls_md_psa_alg_from_type(md_alg));
+    if (!mbedtls_pk_can_do_psa(peer_pk, psa_sig_alg, PSA_KEY_USAGE_VERIFY_HASH)) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
     }