diff --git a/ChangeLog.d/issue4870.txt b/ChangeLog.d/issue4870.txt
new file mode 100644
index 0000000000..213a824835
--- /dev/null
+++ b/ChangeLog.d/issue4870.txt
@@ -0,0 +1,10 @@
+Bugfix
+   * Mark basic constraints critical as appropriate. Note that the previous
+     entry for this fix in the 2.16.10 changelog was in error, and it was not
+     included in the 2.16.10 release as was stated.
+     Make 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC
+     5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in
+     all CA certificates that contain public keys used to validate digital
+     signatures on certificates and MUST mark the extension as critical in
+     such certificates." Previous to this change, the extension was always
+     marked as non-critical. This was fixed by #4044.