diff --git a/docs/3.0-migration-guide.d/default-curves.md b/docs/3.0-migration-guide.d/default-curves.md
index 551e28721c..928130d247 100644
--- a/docs/3.0-migration-guide.d/default-curves.md
+++ b/docs/3.0-migration-guide.d/default-curves.md
@@ -7,6 +7,8 @@ Hashes and curves weaker than 255 bits (security strength less than 128 bits) ar
 
 The compile-time options `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` and `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE` are no longer available.
 
+The curve secp256k1 has also been removed from the default X.509 and TLS profiles. [RFC 8422](https://datatracker.ietf.org/doc/html/rfc8422#section-5.1.1) deprecates it in TLS, and it is very rarely used, although it is not known to be weak at the time of writing.
+
 If you still need to accept certificates signed with algorithms that have been removed from the default profile, call `mbedtls_x509_crt_verify_with_profile` instead of `mbedtls_x509_crt_verify` and pass a profile that allows the curves and hashes you want. For example, to allow SHA-224:
 ```
 mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default;
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 9c7016d8e9..f991251ca6 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -335,11 +335,11 @@ typedef void mbedtls_x509_crt_restart_ctx;
  *
  * This profile permits:
  * - SHA2 hashes with at least 256 bits: SHA-256, SHA-384, SHA-512.
- * - Elliptic curves with 255 bits and above.
+ * - Elliptic curves with 255 bits and above except secp256k1.
  * - RSA with 2048 bits and above.
  *
  * New minor versions of Mbed TLS may extend this profile, for example if
- * new curves are added to the library. New minor versions of Mbed TLS will
+ * new algorithms are added to the library. New minor versions of Mbed TLS will
  * not reduce this profile unless serious security concerns require it.
  */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3bbdcb086b..2688af173e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6131,9 +6131,6 @@ static mbedtls_ecp_group_id ssl_preset_default_curves[] = {
 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
     MBEDTLS_ECP_DP_SECP256R1,
 #endif
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-    MBEDTLS_ECP_DP_SECP256K1,
-#endif
 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
     MBEDTLS_ECP_DP_SECP384R1,
 #endif
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 650044583c..f12ac6b7e0 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -114,7 +114,7 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
     MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
     MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
     MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
+    0,
 #else
     0,
 #endif