diff --git a/doc/releases/migration-guide-4.0.rst b/doc/releases/migration-guide-4.0.rst
index 5494751dac1..3f1d90764b3 100644
--- a/doc/releases/migration-guide-4.0.rst
+++ b/doc/releases/migration-guide-4.0.rst
@@ -51,6 +51,10 @@ Mbed TLS
   * ``CONFIG_MBEDTLS_ENTROPY_ENABLED`` is now :kconfig:option:``CONFIG_MBEDTLS_ENTROPY_C``,
   * ``CONFIG_MBEDTLS_ZEPHYR_ENTROPY`` is now :kconfig:option:``CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR``.
 
+* The Kconfig option ``CONFIG_MBEDTLS_SSL_EXPORT_KEYS`` was removed because the
+  corresponding build symbol was removed in Mbed TLS 3.1.0 and is now assumed to
+  be enabled. (:github:`77657`)
+
 Trusted Firmware-M
 ==================
 
diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic
index 95ae88a6f9f..ab53251b990 100644
--- a/modules/mbedtls/Kconfig.tls-generic
+++ b/modules/mbedtls/Kconfig.tls-generic
@@ -19,9 +19,6 @@ if MBEDTLS_TLS_VERSION_1_2
 config MBEDTLS_DTLS
 	bool "Support for DTLS"
 
-config MBEDTLS_SSL_EXPORT_KEYS
-	bool "Support for exporting SSL key block and master secret"
-
 config MBEDTLS_SSL_ALPN
 	bool "Support for setting the supported Application Layer Protocols"
 
diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
index 404c5e423f9..6246d5040f2 100644
--- a/modules/mbedtls/configs/config-tls-generic.h
+++ b/modules/mbedtls/configs/config-tls-generic.h
@@ -324,10 +324,6 @@
 #define MBEDTLS_ENTROPY_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_SSL_EXPORT_KEYS)
-#define MBEDTLS_SSL_EXPORT_KEYS
-#endif
-
 #if defined(CONFIG_MBEDTLS_SSL_ALPN)
 #define MBEDTLS_SSL_ALPN
 #endif
diff --git a/modules/openthread/CMakeLists.txt b/modules/openthread/CMakeLists.txt
index c155fab65f9..2ee23327435 100644
--- a/modules/openthread/CMakeLists.txt
+++ b/modules/openthread/CMakeLists.txt
@@ -163,6 +163,11 @@ endforeach()
 string(REPLACE " " ";" OT_PARAM_LIST " ${CONFIG_OPENTHREAD_CUSTOM_PARAMETERS}")
 target_compile_definitions(ot-config INTERFACE ${OT_PARAM_LIST})
 
+# Since Mbed TLS 3.1.0 MBEDTLS_SSL_EXPORT_KEYS was removed as build symbol and
+# it's always assumed to be enabled. Corresponding kconfig was removed from
+# Zephyr as well, but OpenThread code still uses it, so we add it here.
+target_compile_definitions(ot-config INTERFACE -DMBEDTLS_SSL_EXPORT_KEYS)
+
 # Zephyr compiler options
 target_include_directories(ot-config INTERFACE
     $<TARGET_PROPERTY:zephyr_interface,INTERFACE_INCLUDE_DIRECTORIES>
diff --git a/subsys/net/l2/openthread/Kconfig b/subsys/net/l2/openthread/Kconfig
index db09d32fd31..958de6f8179 100644
--- a/subsys/net/l2/openthread/Kconfig
+++ b/subsys/net/l2/openthread/Kconfig
@@ -193,7 +193,6 @@ config OPENTHREAD_MBEDTLS
 	select MBEDTLS_ECP_DP_SECP256R1_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || \
 	    OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER
 	select MBEDTLS_ECP_NIST_OPTIM if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_SSL_EXPORT_KEYS if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
 	select MBEDTLS_CTR_DRBG_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
 	select MBEDTLS_HMAC_DRBG_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || \
 	    OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER