diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 13ffa3d53..02fbbd341 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -3333,10 +3333,16 @@ exit:
      * In case opaque keys it's the user responsibility to keep the key valid
      * for the duration of the handshake and destroy it at the end
      */
-    if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) &&
-        ( ! mbedtls_svc_key_id_is_null( ecjpake_pw_slot ) ) )
+    if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) )
     {
-        psa_destroy_key( ecjpake_pw_slot );
+        psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+        /* Verify that the key is still valid before destroying it */
+        if( psa_get_key_attributes( ecjpake_pw_slot, &check_attributes ) ==
+                PSA_SUCCESS )
+        {
+            psa_destroy_key( ecjpake_pw_slot );
+        }
     }
 #endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
 
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 4b195c4f1..d8c20c29f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -4443,10 +4443,16 @@ exit:
      * In case opaque keys it's the user responsibility to keep the key valid
      * for the duration of the handshake and destroy it at the end
      */
-    if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) &&
-        ( ! mbedtls_svc_key_id_is_null( ecjpake_pw_slot ) ) )
+    if( ( opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE ) )
     {
-        psa_destroy_key( ecjpake_pw_slot );
+        psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+        /* Verify that the key is still valid before destroying it */
+        if( psa_get_key_attributes( ecjpake_pw_slot, &check_attributes ) ==
+                PSA_SUCCESS )
+        {
+            psa_destroy_key( ecjpake_pw_slot );
+        }
     }
 #endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
 
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 7163d226c..33231b91e 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -6236,6 +6236,7 @@ void ssl_ecjpake_set_password( int use_opaque_arg )
     if( use_opaque_arg )
     {
         psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+        psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
 
         /* First try with an invalid usage */
         psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH );
@@ -6248,7 +6249,8 @@ void ssl_ecjpake_set_password( int use_opaque_arg )
         ECJPAKE_TEST_SET_PASSWORD( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
 
         /* check that the opaque key is still valid after failure */
-        TEST_ASSERT( ! mbedtls_svc_key_id_is_null( pwd_slot ) );
+        TEST_EQUAL( psa_get_key_attributes( pwd_slot, &check_attributes ),
+                        PSA_SUCCESS );
 
         psa_destroy_key( pwd_slot );