diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
index 0e07715595..3b3478a157 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -24,6 +24,7 @@ which are undefined if the following flag is not defined */
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/debug.h"
+#include "mbedtls/oid.h"
 #ifdef ESPRESSIF_USE
 #include "mbedtls/esp_debug.h"
 #include "mbedtls/esp_config.h"
@@ -191,7 +192,6 @@ static int set_ca_cert(tls_context_t *tls, const unsigned char *cacert, size_t c
 	}
 	mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 	mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
-
 	return 0;
 }
 
@@ -287,6 +287,14 @@ static void tls_enable_sha1_config(tls_context_t *tls)
 	mbedtls_ssl_conf_cert_profile(&tls->conf, crt_profile);
 	mbedtls_ssl_conf_sig_algs(&tls->conf, tls_sig_algs_for_eap);
 }
+#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK
+static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
+{
+	cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_KEY_USAGE;
+	cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE;
+	return 0;
+}
+#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
 
 static const int eap_ciphersuite_preference[] =
 {
@@ -516,6 +524,10 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 	 * but doesn't take that much processing power */
 	tls_set_ciphersuite(cfg, tls);
 
+#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK
+	mbedtls_ssl_set_verify( &tls->ssl, tls_disable_key_usages, NULL );
+#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
+
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 	if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
 		wpa_printf(MSG_INFO, "Using default cert bundle");