diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
index 34ec4738ae..738fa81fd1 100644
--- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
+++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
@@ -1,9 +1,13 @@
-Remove the X509 parser sensitivity control for an unknown critical extension from config.h
-------------------------------------------------------------------------------------------
+Remove the config option MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+--------------------------------------------------------------------------
 
-It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION`
-option which if set, allowed the X509 parser to parse an X509 certificate
-even when it encountered an unknown critical extension.
+This change does not affect users of the default configuration; it only affect
+users who enable this option.
+
+The X.509 standard says that implementations must reject critical extensions that
+they don't recognize, and this is what Mbed TLS does by default. This option
+allowed to continue parsing those certificates but didn't provide a convenient
+way to handle those extensions.
 
 The migration path from that option is to use the
 `mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally