diff --git a/components/mbedtls/test/test_rsa.c b/components/mbedtls/test/test_rsa.c
index f1185160b..c10df5088 100644
--- a/components/mbedtls/test/test_rsa.c
+++ b/components/mbedtls/test/test_rsa.c
@@ -19,6 +19,8 @@
 #include "sdkconfig.h"
 #include "test_utils.h"
 
+#define PRINT_DEBUG_INFO
+
 /* Taken from openssl s_client -connect api.gigafive.com:443 -showcerts
  */
 static const char *rsa4096_cert = "-----BEGIN CERTIFICATE-----\n"\
@@ -182,10 +184,18 @@ static const uint8_t pki_rsa2048_output[] = {
     0xf9, 0xe9, 0x50, 0x29, 0x5d, 0x4f, 0xcc, 0xc9,
 };
 
+#ifdef CONFIG_MBEDTLS_HARDWARE_MPI
+/* Pregenerated RSA 4096 size keys using openssl */
+static const char privkey_buf[] = "-----BEGIN RSA PRIVATE KEY-----\n"
+                                  "MIIJKAIBAAKCAgEA1blr9wfIzTylroJHxcoq+YFA765gF5vj9b6tfaPG0XQExSkjndHv5sra4ar7T+k2sBB4OcKKeGHkNk6wk8tGmOS79r2L74XZs1eB0UruG+huV7Sd+YiWzwN8y9jGImA9hIkf1qxIvkco5WTmT7cVwUnCQ7qiiVadD/LgyeGD04yKZpzv9UJzfjXz5ITTn/ejcn7423M9qz41nhRWwK4zw1jv7IB57d1dWOCbN3RO4dvfVndCz8DOmLzJrZAkLsz39vppbIwbMqTXKFxWqzZY2xrYmnMx9p3v4hLeju7ls3fsekESonoP0C76u50wJfZWO2XcIUo4pue/jHi2o9KouhLXW/vyasplXvE6FFrBjSpsm1Nar4KQMUolEkUbO9baGcQvH9G5WOH0kwPt7AOSqM2EUPvBd7Jv0tbMI/BRZVVltC/t6WhannCM/I6nZrlNe5tie/qYlFu474jp5/tpa8RykkDxwl9whejIqd4iQbvDiP/GXgBYtDJ9VU/S2KqHJhQFLDi+F3+ewOcF391fgt1e1J2vNYLKZOfxTOl/1vJbU/2IjRWTRQ7cXnmpR/GNCRfgH2as6Z/0oknBSVephguDnO5QlveP4Cx2EOVY/A/KgDpu8PumSrlIk+YQgLxdKsXaVI6eDY4rY7q2uCJH3yIAfZJXEeD+ResUuSZltvECAwEAAQKCAgBwR89+oipOGHR6b5tBP+q/1bXFtXhqLs3eBuSiQu5qj2cKJYi+mtJMD3paYDdTThQa/ywKPDf+8n6wQTrnCj32iQRupjnkBg/O9kQPLixVoRCHJy5vL+D6tLxVY3cEDEeFX3zIjQ5SWJQVn6KXcnoNZ7CVYHGPcV9mR5TsuntFImp7aituUBDY14NgJKABRFosBqS6tZpKYo5MlCbXZy1ujUTOnNhxrIAj9yvUQFhIs/hrNpB1ELf46gWSF03LAIesyvWjvx9yxcL7QzeNDyozQbFVwvsWsvaZcIxXzw4B8RjdSV5+2V2BY4z6D6SB7R50ahjxrEqC9PFe3PQmsL9OvFjV9idYwFOhxiWXGjIm3wwFFLOj3e0TShscj2Iw+Ghd3wApvSdBZxzdjap1NHC+Q6yYU+BnivxUHcopVPPM3rsLndyRC6zfrQw/OkOlAP3bNL1hRedPRmRDOz0V1ihEpgC1VfXx6XOu4eg8xWiJgWX+BGvT5GWjfQg2hB1Jm344r3l0eLhr25dO80GIac2QGT2+WmYkXcsQ3AiqAn2VF8UB5mU+Iyh96jmSFVVltGZgfp98yFYN63/7wB++lhVQmJZwbglutng1qjQBFslIULddIHiYvF+AVvkrO3Hc2zg8rT91tbE13k06A1zlNGcQuQKLax8e+2/BNjsZU2E4uQKCAQEA7L4obKWYRHgG6j1VEDRrQU8Vkm4L11B+ZD/rsEh3q7LbzViOPv+1dZ40jX2qYScWyaefI46bukJlk/mlNv4Dh3EnSFvHPCInDM3oImCYImwUx0hkbSRyRNwlwRwx81LJzIR84cCqpNWrXXcplomUSM62ea1E1vtNSZs9Bg2OLoWvFOTPgk/xDi6ezdb6JFiId6cARup/bmZ363mg8jCq0wpTLVdUGrezfMj4GpB1uQET5xqXleumQu/04cHPOfXwpV0ikIOId/ldY/PetiRd86B32aB2Xd4fHUpxHMY+63MFmL6SsqMQJMPubv+eIrOId4HhT+nXNFBZXolT5XG5NwKCAQEA5xvvccHNyCTL0AebxD6EihWnp0/Dd0DwXWxZw0Yhhc9xa/W/QtygB6kPb35oKGvCKdm4dWCIGln03dU5D6CMNkJlbkxpo8gybz34SJ/6OvU836rBLHZXE3Xiqbe5XkdMdarA7kTEhEUqekDXPxhws9dWh0YjtAnBPpm1GQppiykI2edkiIhRgju5ghe+/UjAjxrEgCKZeAODh46hwZHERRKQN2MFUOFcOVDq+2wTJem9r3h1uBQAiZn8PDyx0rlRkwH2dZSSauVW+I713N0JGucOV7FeMO0ebioqqckh0i91ZJNH//Io8Sp8WuBsU/vcP9jT+5BDkCbc71BRO/AFFwKCAQBj4a6oeA0QBhvUw9+ZoKQHv9f4GZnBU+KfZSCJFWn39NQrhMsu5S+n2gGOGJDDwHwqxB+uHsKxCMZWciM0WmMex6ytKJucUURscIsZxespyrPRiEdmjNPxHXiISt8AK9OcB+GwVVsphERygI35Rz5aoWv3VhUPJqNrBKXwYdO06Q3/ILIz5oprU1wIuER9BSU+ZiUFxnXRHEZIAN7Yj5Piyh5hqNCBHTQK17dlbcFdNokxHdUKmYth/l8wyFYnvA21lt+4XOY8x+aQ/xjde+ZvnSozlTGbVNWHxBqI61MsfzDDStQVrhpniIqWJh6PwXM4CIII9z2mgqfR7NqKmTptAoIBAQDTYQOigmZbFvyrayoXVi8XtTLAnv3jByxR5pY7OtvSbagJ3J1w5CYim4iYq39M6TKP4KkMApy5rWl/tFQabPeRcS0gsxc0TBmFEaMTme7fGgrxcFZ6+koubHZCUN5k0sWmIeWQiKlNaY2uf7vf49TBSMXFuGtTclCjlybCnnlmZMPJuhCDqFsUyNelm15+f5pPyWXM5NiFooEc7WIZj996Zb4uSo1EKruVWONzzqe814s9AOp60SCkuoiv97uVRxbLZNItPRSmXNktQmSx/CEl0AuYPYwvJ9HbZQncfTBH9ExlDyidernjyr4uyHGMZyJN614ICy0gncsZv9ZtAd1FAoIBAA4toGPU/VcKFmK92zgO05jsg5vJzw5xeoxRWKrLg7iby6Su6BuNgaVwfYWeZuOhnXakid7FvFXKH6x44o9gyFm5bKqFhaXDzAnxzqcLeM5V+gititOsstpZCbVOoKQOhgTHyxpFNVX3E/nB8EunydWyhQMxKme//NsRroFm1vWljQKyL3zER82AzyseEpEYZoB/6g0n5uF2lR7KllxeBlINsceQ8g3JkmJTdS1hoXcyUSsZ+EgrRbCykNB5aVC5G3/W1OSZsFHbbMrYHCMnaYKwMqLmOkb11o6nOrJJ4pgHj8CVcp2TNjfy3y0Ru6RZ42b0Q+3LktJBGu9r5d04FgI=\n"
+                                  "-----END RSA PRIVATE KEY-----";
+#endif
+
 _Static_assert(sizeof(pki_rsa2048_output) == 2048/8, "rsa2048 output is wrong size");
 _Static_assert(sizeof(pki_rsa4096_output) == 4096/8, "rsa4096 output is wrong size");
 
 static void test_cert(const char *cert, const uint8_t *expected_output, size_t output_len);
+void mbedtls_mpi_printf(const char *name, const mbedtls_mpi *X);
 
 TEST_CASE("mbedtls RSA4096 cert", "[mbedtls]")
 {
@@ -242,6 +252,7 @@ static void test_cert(const char *cert, const uint8_t *expected_output, size_t o
 }
 
 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI
+static void rsa_key_operations(int keysize, bool check_performance, bool use_blinding, bool generate_new_rsa);
 
 static int myrand(void *rng_state, unsigned char *output, size_t len)
 {
@@ -249,7 +260,37 @@ static int myrand(void *rng_state, unsigned char *output, size_t len)
     return mbedtls_hardware_poll(rng_state, output, len, &olen);
 }
 
+#ifdef PRINT_DEBUG_INFO
+static void print_rsa_details(mbedtls_rsa_context *rsa)
+{
+    mbedtls_mpi X[5];
+    for (int i=0; i<5; ++i) {
+        mbedtls_mpi_init( &X[i] );
+    }
+
+    if (0 == mbedtls_rsa_export(rsa, &X[0], &X[1], &X[2], &X[3], &X[4])) {
+        for (int i=0; i<5; ++i) {
+            mbedtls_mpi_printf((char*)"N\0P\0Q\0D\0E" + 2*i, &X[i]);
+            mbedtls_mpi_free( &X[i] );
+        }
+    }
+}
+#endif
+
 TEST_CASE("test performance RSA key operations", "[bignum][ignore]")
+{
+    for (int keysize = 2048; keysize <= 4096; keysize += 2048) {
+        rsa_key_operations(keysize, true, false, true);
+    }
+}
+
+TEST_CASE("test RSA-4096 calculations", "[bignum]")
+{
+    // use pre-genrated keys to make the test run a bit faster
+    rsa_key_operations(4096, false, true, false);
+}
+
+static void rsa_key_operations(int keysize, bool check_performance, bool use_blinding, bool generate_new_rsa)
 {
     mbedtls_rsa_context rsa;
     unsigned char orig_buf[4096 / 8];
@@ -259,37 +300,48 @@ TEST_CASE("test performance RSA key operations", "[bignum][ignore]")
     int public_perf, private_perf;
 
     printf("First, orig_buf is encrypted by the public key, and then decrypted by the private key\n");
+    printf("keysize=%d check_performance=%d use_blinding=%d generate_new_rsa=%d\n", keysize, check_performance, use_blinding, generate_new_rsa);
 
-    for (int keysize = 2048; keysize <= 4096; keysize += 2048) {
-        memset(orig_buf, 0xAA, sizeof(orig_buf));
-        orig_buf[0] = 0; // Ensure that orig_buf is smaller than rsa.N
-
+    memset(orig_buf, 0xAA, sizeof(orig_buf));
+    orig_buf[0] = 0; // Ensure that orig_buf is smaller than rsa.N
+    if (generate_new_rsa) {
         mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PRIVATE, 0);
         TEST_ASSERT_EQUAL(0, mbedtls_rsa_gen_key(&rsa, myrand, NULL, keysize, 65537));
-
-        TEST_ASSERT_EQUAL(keysize, (int)rsa.len * 8);
-        TEST_ASSERT_EQUAL(keysize, (int)rsa.D.n * sizeof(mbedtls_mpi_uint) * 8); // The private exponent
-
-        start = esp_timer_get_time();
-        TEST_ASSERT_EQUAL(0, mbedtls_rsa_public(&rsa, orig_buf, encrypted_buf));
-        public_perf = esp_timer_get_time() - start;
-
-        start = esp_timer_get_time();
-        TEST_ASSERT_EQUAL(0, mbedtls_rsa_private(&rsa, NULL, NULL, encrypted_buf, decrypted_buf));
-        private_perf = esp_timer_get_time() - start;
-
-        if (keysize == 2048) {
-            TEST_PERFORMANCE_LESS_THAN(RSA_2048KEY_PUBLIC_OP, "public operations %d us", public_perf);
-            TEST_PERFORMANCE_LESS_THAN(RSA_2048KEY_PRIVATE_OP, "private operations %d us", private_perf);
-        } else {
-            TEST_PERFORMANCE_LESS_THAN(RSA_4096KEY_PUBLIC_OP, "public operations %d us", public_perf);
-            TEST_PERFORMANCE_LESS_THAN(RSA_4096KEY_PRIVATE_OP, "private operations %d us", private_perf);
-        }
-
-        TEST_ASSERT_EQUAL_MEMORY_MESSAGE(orig_buf, decrypted_buf, keysize / 8, "RSA operation");
-
-        mbedtls_rsa_free(&rsa);
+    } else if (keysize==4096) { // pre-generated private key only available for keysize=4096
+        mbedtls_pk_context clientkey;
+        mbedtls_pk_init(&clientkey);
+        TEST_ASSERT_EQUAL(0, mbedtls_pk_parse_key(&clientkey, (const uint8_t *)privkey_buf, sizeof(privkey_buf), NULL, 0));
+        memcpy(&rsa, mbedtls_pk_rsa(clientkey), sizeof(mbedtls_rsa_context));
+    } else {
+        printf("Not supported keysize, please use generate_new_rsa=true\n");
+        abort();
     }
+#ifdef PRINT_DEBUG_INFO
+    print_rsa_details(&rsa);
+#endif
+
+    TEST_ASSERT_EQUAL(keysize, (int)rsa.len * 8);
+    TEST_ASSERT_EQUAL(keysize, (int)rsa.D.n * sizeof(mbedtls_mpi_uint) * 8); // The private exponent
+
+    start = esp_timer_get_time();
+    TEST_ASSERT_EQUAL(0, mbedtls_rsa_public(&rsa, orig_buf, encrypted_buf));
+    public_perf = esp_timer_get_time() - start;
+
+    start = esp_timer_get_time();
+    TEST_ASSERT_EQUAL(0, mbedtls_rsa_private(&rsa, use_blinding?myrand:NULL, NULL, encrypted_buf, decrypted_buf));
+    private_perf = esp_timer_get_time() - start;
+
+    if (check_performance && keysize == 2048) {
+        TEST_PERFORMANCE_LESS_THAN(RSA_2048KEY_PUBLIC_OP, "public operations %d us", public_perf);
+        TEST_PERFORMANCE_LESS_THAN(RSA_2048KEY_PRIVATE_OP, "private operations %d us", private_perf);
+    } else if (check_performance && keysize == 4096) {
+        TEST_PERFORMANCE_LESS_THAN(RSA_4096KEY_PUBLIC_OP, "public operations %d us", public_perf);
+        TEST_PERFORMANCE_LESS_THAN(RSA_4096KEY_PRIVATE_OP, "private operations %d us", private_perf);
+    }
+
+    TEST_ASSERT_EQUAL_MEMORY_MESSAGE(orig_buf, decrypted_buf, keysize / 8, "RSA operation");
+
+    mbedtls_rsa_free(&rsa);
 }
 
 #endif // CONFIG_MBEDTLS_HARDWARE_MPI
\ No newline at end of file