diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 251d4f057a..0b755e35e1 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3671,6 +3671,17 @@
  */
 //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
 
+/** \def PSA_KEY_SLOT_COUNT
+ * Restrict the PSA library to supporting a maximum amount of simultaneously
+ * loaded keys. A loaded key is a key stored by the PSA Crypto core as a
+ * volatile key, or a persistent key which is loaded temporarily by the
+ * library as part of a crypto operation in flight.
+ *
+ * If this option is unset, the library will fall back to a default value of
+ * 32 keys.
+ */
+//#define PSA_KEY_SLOT_COUNT 32
+
 /* SSL Cache options */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 14b5be39f8..a10bb8bfde 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -39,6 +39,10 @@ extern "C" {
 /* UID for secure storage seed */
 #define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52
 
+/* See config.h for definition */
+#if !defined(PSA_KEY_SLOT_COUNT)
+#define PSA_KEY_SLOT_COUNT 32
+#endif
 
 /** \addtogroup attributes
  * @{
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
index 32ccd4982b..b0148bdca4 100644
--- a/library/psa_crypto_slot_management.h
+++ b/library/psa_crypto_slot_management.h
@@ -25,12 +25,6 @@
 #include "psa_crypto_core.h"
 #include "psa_crypto_se.h"
 
-/* Number of key slots (plus one because 0 is not used).
- * The value is a compile-time constant for now, for simplicity. */
-#if !defined(PSA_KEY_SLOT_COUNT)
-#define PSA_KEY_SLOT_COUNT 32
-#endif
-
 /** Range of volatile key identifiers.
  *
  *  The last PSA_KEY_SLOT_COUNT identifiers of the implementation range