diff --git a/library/pk.c b/library/pk.c
index 2516eed6fe..4e2f218032 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -904,6 +904,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
 
         /* import private key into PSA */
         status = psa_import_key(&attributes, d, d_len, key);
+        mbedtls_platform_zeroize(d, sizeof(d));
         if (status != PSA_SUCCESS) {
             return PSA_PK_TO_MBEDTLS_ERR(status);
         }
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 47370b49e9..257903ce80 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -935,6 +935,10 @@ ec_prv.pk8param.pem: ec_prv.pk8param.der
 	$(OPENSSL) pkey -in $< -inform DER -out $@
 all_final += ec_prv.pk8param.pem
 
+ec_pub.pem: ec_prv.sec1.der
+	$(OPENSSL) pkey -in $< -inform DER -outform PEM -pubout -out $@
+all_final += ec_pub.pem
+
 ec_prv.sec1.comp.pem: ec_prv.sec1.pem
 	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
 all_final += ec_prv.sec1.comp.pem
diff --git a/tests/data_files/ec_pub.comp.pem b/tests/data_files/ec_pub.comp.pem
index a3742a3120..55fac08430 100644
--- a/tests/data_files/ec_pub.comp.pem
+++ b/tests/data_files/ec_pub.comp.pem
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgACvHl9s65/COw9SWtPtBGz9iClWKUB
-4CIt
+MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgADUXW83zCjcPOdU5PmEnKI2AFntfS0
+t3bG
 -----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_pub.der b/tests/data_files/ec_pub.der
index 74c5951f60..e4e59158a8 100644
Binary files a/tests/data_files/ec_pub.der and b/tests/data_files/ec_pub.der differ
diff --git a/tests/data_files/ec_pub.pem b/tests/data_files/ec_pub.pem
index d677d27eb5..d54dc944cd 100644
--- a/tests/data_files/ec_pub.pem
+++ b/tests/data_files/ec_pub.pem
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEvHl9s65/COw9SWtPtBGz9iClWKUB
-4CItCM/g3Irsixp78kvpKVHMW6G+uyR0kJrg
+MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEUXW83zCjcPOdU5PmEnKI2AFntfS0
+t3bGdPfG81S30iQGLB9oVLWnrw/leOryWPAn
 -----END PUBLIC KEY-----
diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data
index a339cdbb0c..34bf0da853 100644
--- a/tests/suites/test_suite_pkwrite.data
+++ b/tests/suites/test_suite_pkwrite.data
@@ -93,3 +93,23 @@ pk_write_key_check:"data_files/ec_bp512_prv.pem":TEST_PEM
 Private key write check EC Brainpool 512 bits (DER)
 depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_BP512R1_ENABLED
 pk_write_key_check:"data_files/ec_bp512_prv.der":TEST_DER
+
+Derive public key RSA
+depends_on:MBEDTLS_RSA_C
+pk_write_public_from_private:"data_files/server1.key.der":"data_files/server1.pubkey.der"
+
+Derive public key RSA 4096
+depends_on:MBEDTLS_RSA_C
+pk_write_public_from_private:"data_files/rsa4096_prv.der":"data_files/rsa4096_pub.der"
+
+Derive public key EC 192 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_write_public_from_private:"data_files/ec_prv.sec1.der":"data_files/ec_pub.der"
+
+Derive public key EC 521 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_write_public_from_private:"data_files/ec_521_prv.der":"data_files/ec_521_pub.der"
+
+Derive public key EC Brainpool 512 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_write_public_from_private:"data_files/ec_bp512_prv.der":"data_files/ec_bp512_pub.der"
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index 804e9a77eb..c148c8a848 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -2,6 +2,7 @@
 #include "mbedtls/pk.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/oid.h"
+#include "psa/crypto_sizes.h"
 
 typedef enum {
     TEST_PEM,
@@ -124,3 +125,57 @@ void pk_write_key_check(char *key_file, int is_der)
     goto exit; /* make the compiler happy */
 }
 /* END_CASE */
+
+/* BEGIN_CASE */
+void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
+{
+    mbedtls_pk_context priv_key;
+    uint8_t *derived_key_raw = NULL;
+    size_t derived_key_len = 0;
+    uint8_t *pub_key_raw = NULL;
+    size_t pub_key_len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    mbedtls_pk_init(&priv_key);
+    USE_PSA_INIT();
+
+    TEST_EQUAL(mbedtls_pk_parse_keyfile(&priv_key, priv_key_file, NULL,
+                                        mbedtls_test_rnd_std_rand, NULL), 0);
+    TEST_EQUAL(mbedtls_pk_load_file(pub_key_file, &pub_key_raw,
+                                    &pub_key_len), 0);
+
+    derived_key_len = pub_key_len;
+    ASSERT_ALLOC(derived_key_raw, derived_key_len);
+
+    TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
+                                           derived_key_len), pub_key_len);
+
+    ASSERT_COMPARE(derived_key_raw, derived_key_len,
+                   pub_key_raw, pub_key_len);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_platform_zeroize(derived_key_raw, sizeof(derived_key_raw));
+
+    TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
+                                         PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
+                                         PSA_ALG_NONE), 0);
+
+    TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
+                                           derived_key_len), pub_key_len);
+
+    ASSERT_COMPARE(derived_key_raw, derived_key_len,
+                   pub_key_raw, pub_key_len);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_destroy_key(opaque_key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    mbedtls_free(derived_key_raw);
+    mbedtls_free(pub_key_raw);
+    mbedtls_pk_free(&priv_key);
+    USE_PSA_DONE();
+}
+/* END_CASE */