diff --git a/ChangeLog.d/psa-without-genprime-fix.txt b/ChangeLog.d/psa-without-genprime-fix.txt
new file mode 100644
index 000000000000..cce06ffe9d18
--- /dev/null
+++ b/ChangeLog.d/psa-without-genprime-fix.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix how PSA configures RSA support based on what features are set in the
+     Mbed TLS configuration. Specifically, support RSA without key generation when MBEDTLS_GENPRIME is not
+     defined. Fixes #4512.
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index fa415d5f028c..5024062fa243 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -593,8 +593,10 @@ extern "C" {
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
 #define PSA_WANT_ALG_RSA_PSS 1
 #endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_GENPRIME)
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1
 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
+#endif /* MBEDTLS_GENPRIME */
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
 #define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
 #endif /* MBEDTLS_RSA_C */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 8b9d7d172d32..24b20f292c7c 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1306,6 +1306,12 @@ component_build_crypto_baremetal () {
   if_build_succeeded are_empty_libraries library/libmbedx509.* library/libmbedtls.*
 }
 
+component_build_psa_crypto_rsa_no_genprime() {
+    msg "build: default config minus MBEDTLS_GENPRIME"
+    scripts/config.py unset MBEDTLS_GENPRIME
+    make
+}
+
 component_test_depends_curves () {
     msg "test/build: curves.pl (gcc)" # ~ 4 min
     record_status tests/scripts/curves.pl