diff --git a/ChangeLog.d/rsa-padding.txt b/ChangeLog.d/rsa-padding.txt
new file mode 100644
index 000000000..5f9c11f71
--- /dev/null
+++ b/ChangeLog.d/rsa-padding.txt
@@ -0,0 +1,5 @@
+API changes
+   * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
+     key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
+     after initializing the context. mbedtls_rsa_set_padding() now returns an
+     error if its parameters are invalid.
diff --git a/docs/3.0-migration-guide.d/rsa-padding.md b/docs/3.0-migration-guide.d/rsa-padding.md
new file mode 100644
index 000000000..a04d9ee2a
--- /dev/null
+++ b/docs/3.0-migration-guide.d/rsa-padding.md
@@ -0,0 +1,29 @@
+Remove the padding parameters from mbedtls_rsa_init()
+-----------------------------------------------------
+
+This affects all users who use the RSA encryption, decryption, sign and
+verify APIs.
+
+The function mbedtls_rsa_init() no longer supports selecting the PKCS#1 v2.1
+encoding and its hash. It just selects the PKCS#1 v1.5 encoding by default. If
+you were using the PKCS#1 v2.1 encoding you now need, subsequently to the call
+to mbedtls_rsa_init(), to call mbedtls_rsa_set_padding() to set it.
+
+Code migration examples:
+```C
+    mbedtls_rsa_init(ctx, padding, hash_id);
+```
+to
+```C
+    mbedtls_rsa_init(ctx);
+    mbedtls_rsa_set_padding(ctx, padding, hash_id);
+```
+or
+```C
+    mbedtls_rsa_init(ctx, MBEDTLS_RSA_PKCS_V15, <ignored>);
+```
+to
+```C
+    mbedtls_rsa_init(ctx);
+```
+