Backportable subset of: openssl_csr: deprecate version option (#63432) (#63675)

Cherry-picked from ba686154b98194de04a0c37970a3b997394ab7be.

2 files changed, 6 insertions, 0 deletions

diff --git a/changelogs/fragments/63432-openssl_csr-version.yml b/changelogs/fragments/63432-openssl_csr-version.yml
new file mode 100644
index 0000000000..4b8858df76
--- /dev/null
+++ b/changelogs/fragments/63432-openssl_csr-version.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend."
diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py
index f9fd162f7e..ba7c7d79cb 100644
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@@ -54,6 +54,8 @@ options:
     version:
         description:
             - The version of the certificate signing request.
+            - "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1)
+               is 1."
         type: int
         default: 1
     force:
@@ -653,6 +655,8 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
     def __init__(self, module):
         super(CertificateSigningRequestCryptography, self).__init__(module)
         self.cryptography_backend = cryptography.hazmat.backends.default_backend()
+        if self.version != 1:
+            module.warn('The cryptography backend only supports version 1. (The only valid value according to RFC 2986.)')
 
     def _generate_csr(self):
         csr = cryptography.x509.CertificateSigningRequestBuilder()