diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt
index 7ad0d22bb6a..9a0fd21d2cb 100644
--- a/modules/hostap/CMakeLists.txt
+++ b/modules/hostap/CMakeLists.txt
@@ -564,10 +564,8 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_DPP
 	${HOSTAP_SRC_BASE}/tls/asn1.c
 )
 
-# crypto mbedtls related CRYPTO OR LEGACY_NCS
-if(DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO OR
-   DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_LEGACY_NCS OR
-   DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_LEGACY_NCS_PSA)
+# crypto mbedtls related
+if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO)
 zephyr_library_sources(
 	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c
 	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c
@@ -612,20 +610,15 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 )
 endif()
 
-if(DEFINED ONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT OR
-   DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_LEGACY_NCS)
+if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT)
 zephyr_include_directories(
 	${HOSTAP_BASE}/port/mbedtls
 )
 
 zephyr_library_sources(
 	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
 	${HOSTAP_SRC_BASE}/crypto/rc4.c
-	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
-	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
-	${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
-	${HOSTAP_SRC_BASE}/crypto/aes-internal.c
-	${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
 )
 
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
@@ -639,14 +632,8 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
 	${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
 	${HOSTAP_SRC_BASE}/crypto/milenage.c
-	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
-)
-
-zephyr_library_sources_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
-  ${HOSTAP_SRC_BASE}/crypto/tls_none.c
 )
 
-
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
 	${HOSTAP_SRC_BASE}/crypto/crypto_module_tests.c
 	${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
@@ -655,25 +642,6 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
 )
 endif()
 
-if(DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA)
-zephyr_include_directories(
-	${HOSTAP_BASE}/port/mbedtls
-)
-
-zephyr_library_sources(
-	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
-	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
-	${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
-	${HOSTAP_SRC_BASE}/crypto/aes-internal.c
-	${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
-	${HOSTAP_SRC_BASE}/crypto/rc4.c
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
-	${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
-	${HOSTAP_SRC_BASE}/crypto/tls_none.c
-)
-endif()
-
 zephyr_library_link_libraries_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	mbedTLS)
 
diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
index 300a61e5cd6..813a9b91ed6 100644
--- a/modules/hostap/Kconfig
+++ b/modules/hostap/Kconfig
@@ -109,9 +109,7 @@ config WIFI_NM_WPA_SUPPLICANT_WEP
 
 choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
 	prompt "WPA supplicant crypto implementation"
-	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA if SOC_SERIES_NRF54HX
-	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_LEGACY_NCS_PSA if SOC_SERIES_NRF54LX || BUILD_WITH_TFM
-	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_LEGACY_NCS
+	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	help
 	  Select the crypto implementation to use for WPA supplicant.
 	  WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode
@@ -137,7 +135,6 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	bool "Crypto Mbedtls alt support for WiFi"
@@ -152,164 +149,42 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	select MBEDTLS_CIPHER
 	select MBEDTLS_ECP_C
 	select MBEDTLS_ECP_ALL_ENABLED
-	select MBEDTLS_CMAC_C
+	select MBEDTLS_CMAC
 	select MBEDTLS_PKCS5_C
 	select MBEDTLS_PK_WRITE_C
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ECDSA_C
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+	select MBEDTLS_NIST_KW_C
 	select MBEDTLS_DHM_C
 	select MBEDTLS_HKDF_C
 	select MBEDTLS_SERVER_NAME_INDICATION
 	select MBEDTLS_X509_CRL_PARSE_C
 	select MBEDTLS_TLS_VERSION_1_2
-	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
-
-config WIFI_NM_WPA_SUPPLICANT_CRYPTO_LEGACY_NCS
-	bool "Legacy Crypto support for WiFi using nRF security"
-	select MBEDTLS
-	select NRF_SECURITY
-	select MBEDTLS_CIPHER_MODE_CBC
-	select MBEDTLS_CIPHER_MODE_CTR
-	select MBEDTLS_LEGACY_CRYPTO_C
-	select MBEDTLS_SHA1_C
-	select MBEDTLS_ECP_C
-	select MBEDTLS_CTR_DRBG_C
-	select MBEDTLS_PK_C
-	select MBEDTLS_PKCS5_C
-	select MBEDTLS_PK_PARSE_C
-	select MBEDTLS_CMAC_C
-	select MBEDTLS_CIPHER_PADDING_PKCS7
-	select MBEDTLS_PK_WRITE_C
-	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
-
-config WIFI_NM_WPA_SUPPLICANT_CRYPTO_LEGACY_NCS_PSA
-	bool "PSA Crypto support for WiFi using nRF security"
-	select MBEDTLS
-	select NRF_SECURITY
-	select PSA_WANT_GENERATE_RANDOM
-	# Legacy crypto, still needed
-	select MBEDTLS_SHA1_C
-	select MBEDTLS_LEGACY_CRYPTO_C
-	select MBEDTLS_CMAC_C
-	select MBEDTLS_GCM_C
-	select MBEDTLS_TLS_LIBRARY
-	select MBEDTLS_PK_C
-	select MBEDTLS_PK_WRITE_C
-	select MBEDTLS_X509_LIBRARY
-	select MBEDTLS_X509_CRT_PARSE_C
-	select MBEDTLS_CIPHER_C
-	select MBEDTLS_CIPHER_MODE_CTR
-	select MBEDTLS_CIPHER_MODE_CBC
-	select MBEDTLS_SSL_TLS_C
-	select MBEDTLS_ECP_C
-	select MBEDTLS_CTR_DRBG_C
-	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	select MBEDTLS_MD_C
-	select MBEDTLS_CIPHER_PADDING_PKCS7
-	select MBEDTLS_PKCS5_C
-	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
-
-config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_LEGACY_NCS
-	bool "Legacy Crypto support for WiFi using nRF security"
-	select MBEDTLS
-	select NRF_SECURITY
-	select MBEDTLS_CIPHER_MODE_CBC
-	select MBEDTLS_CIPHER_MODE_CTR
-	select MBEDTLS_LEGACY_CRYPTO_C
-	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_CIPHER
-	select MBEDTLS_ECP_C
-	select MBEDTLS_CTR_DRBG_C
-	select MBEDTLS_PK_WRITE_C
-	select MBEDTLS_HKDF_C
-	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	select MBEDTLS_MD_C
-	select MBEDTLS_MD5_C
-	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_CIPHER_PADDING_PKCS7
-	select MBEDTLS_PKCS5_C
-
-config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_LEGACY_NCS_PSA
-	bool "Legacy Crypto support for WiFi using nRF security"
-	select MBEDTLS
-	select NRF_SECURITY
-	select PSA_WANT_GENERATE_RANDOM
-	select MBEDTLS_CIPHER_MODE_CBC
-	select MBEDTLS_CIPHER_MODE_CTR
-	select MBEDTLS_LEGACY_CRYPTO_C
-	select MBEDTLS_SHA1_C
-	select MBEDTLS_ECP_C
-	select MBEDTLS_CTR_DRBG_C
-	select MBEDTLS_PK_C
-	select MBEDTLS_PKCS5_C
-	select MBEDTLS_PK_PARSE_C
-	select MBEDTLS_CMAC_C
-	select MBEDTLS_CIPHER_PADDING_PKCS7
-	select MBEDTLS_PK_WRITE_C
-	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	select MBEDTLS_ENTROPY_C
-
-config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
-	bool "PSA Crypto support for WiFi WPA2 using nRF security"
-	select MBEDTLS
-	select NRF_SECURITY
-	select PSA_WANT_GENERATE_RANDOM
-	select MBEDTLS_PK_C
-	select MBEDTLS_MD_C
-	select MBEDTLS_PK_WRITE_C
-	select MBEDTLS_ENABLE_HEAP
-	select MBEDTLS_PSA_CRYPTO_C
-	select MBEDTLS_USE_PSA_CRYPTO
-	select PSA_WANT_ALG_HMAC
-	select PSA_WANT_ALG_CMAC
-	select PSA_WANT_ALG_ECB_NO_PADDING
-	select PSA_WANT_ALG_CBC_PKCS7
-	select PSA_ACCEL_CBC_MAC_AES_128
-	select PSA_ACCEL_CBC_MAC_AES_192
-	select PSA_ACCEL_CBC_MAC_AES_256
-	select PSA_WANT_ALG_CCM
-	select PSA_WANT_ALG_GCM
-	select PSA_WANT_ALG_CTR
-	select PSA_WANT_ALG_MD5
-	select PSA_ACCEL_MD5
-	select PSA_WANT_ALG_SHA_1
-	select PSA_WANT_ALG_SHA_256
-	select PSA_WANT_ALG_SHA_224
-	select PSA_WANT_ALG_SHA_384
-	select PSA_WANT_ALG_SHA_512
-	select PSA_WANT_ALG_PBKDF2_HMAC
-	select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
-	select PSA_WANT_KEY_TYPE_AES
-	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	bool "No Crypto support for WiFi"
 
+config WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT
+	bool "External Crypto support for hostap"
+	help
+	  Use external crypto implementation for hostp, this is useful for
+	  platforms where the crypto implementation is provided by the platform
+	  and not by Zephyr. The external crypto implementation should provide
+	  the required APIs and any other dependencies required by hostap.
+
 endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
-	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
 	help
 	  Support Mbedtls 3.x to use PSA apis instead of legacy apis.
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	bool "Enterprise Crypto support for WiFi"
-	select MBEDTLS_ECDH_C
-	select MBEDTLS_ECDSA_C
-	select MBEDTLS_DHM_C
-	select MBEDTLS_SSL_TLS_C
-	select MBEDTLS_SSL_SRV_C
-	select MBEDTLS_SSL_CLI_C
-	select MBEDTLS_X509_LIBRARY
-	select MBEDTLS_TLS_LIBRARY
-	select MBEDTLS_X509_CRL_PARSE_C
-	select MBEDTLS_TLS_VERSION_1_2
-	select MBEDTLS_RSA_C
-	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
+	select MBEDTLS_PEM_CERTIFICATE_FORMAT
+	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 
 config EAP_TLS
 	bool "EAP-TLS support"
@@ -366,7 +241,7 @@ config EAP_ALL
 
 config WIFI_NM_WPA_SUPPLICANT_WPA3
 	bool "WPA3 support"
-	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
+	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	default y
 
 config WIFI_NM_WPA_SUPPLICANT_AP