Addition of the migration guide
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
diff --git a/ChangeLog.d/issue4378.txt b/ChangeLog.d/issue4378.txt
index f10c23c..9a7522b 100644
--- a/ChangeLog.d/issue4378.txt
+++ b/ChangeLog.d/issue4378.txt
@@ -1,4 +1,4 @@
Removals
* Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
- for migration path. Fixes #4378.
+ migration path. Fixes #4378.
diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
new file mode 100644
index 0000000..34ec473
--- /dev/null
+++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
@@ -0,0 +1,13 @@
+Remove the X509 parser sensitivity control for an unknown critical extension from config.h
+------------------------------------------------------------------------------------------
+
+It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION`
+option which if set, allowed the X509 parser to parse an X509 certificate
+even when it encountered an unknown critical extension.
+
+The migration path from that option is to use the
+`mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally
+equivalent to `mbedtls_x509_crt_parse_der()`, and/or
+`mbedtls_x509_crt_parse_der_nocopy()` but it calls the callback with every
+unsupported certificate extension and additionally the "certificate policies"
+extension if it contains any unsupported certificate policies.