diff --git a/ChangeLog b/ChangeLog
index 3571910b6..8f952b76f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -49,16 +49,9 @@ Removals
    * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
      compile-time option, which was off by default. Users should not trust
      certificates signed with SHA-1 due to the known attacks against SHA-1.
-     If needed, SHA-1 cerificate can still be used by providing custom
-     verification profile to mbedtls_x509_crt_verify_with_profile function
-     in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.
-     Example of custom verification profile, supporting SHA-1:
-     const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
-         MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ),
-         0xFFFFFFF, /* Any PK alg    */
-         0xFFFFFFF, /* Any curve     */
-         2048
-     };
+     If needed, SHA-1 cerificates can still be verified by using a custom
+     verification profile.
+
    * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
    * Removed deprecated functions from hashing modules. Fixes #4280.
    * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md
index 9bcaa0de0..b48754165 100644
--- a/docs/3.0-migration-guide.md
+++ b/docs/3.0-migration-guide.md
@@ -75,7 +75,20 @@ If you used to enable `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` in your
 `config.h`, first please take a moment to consider whether you really still
 want to accept certificates signed with SHA-1 as those are considered insecure
 and no CA has issued them for a while. If you really need to allow SHA-1 in
-certificates, please set up a custom profile as explained in the ChangeLog.
+certificates, please set up a custom profile as follows:
+
+```
+const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+    MBEDTLS_X509_ID_FLAG( /* other hash */ ) /* | etc */,
+    0xFFFFFFF,  /* Or specific PK algs */
+    0xFFFFFFF,  /* Or specific curves */
+    2048        /* Or another RSA min bitlen */
+};
+```
+Then pass it to `mbedtls_x509_crt_verify_with_profile()` if you're verifying
+a certificate chain directly, or to `mbedtls_ssl_conf_cert_profile()` if the
+verification happens during a TLS handshake.
 
 Remove the certs module from the library
 ----------------------------------------