diff --git a/changelogs/fragments/65633-crypto-argspec-fixup.yml b/changelogs/fragments/65633-crypto-argspec-fixup.yml
new file mode 100644
index 00000000000..7f4ae28168e
--- /dev/null
+++ b/changelogs/fragments/65633-crypto-argspec-fixup.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - ``provider`` option was documented as required, but it was not checked whether it was provided. It is now only required when ``state`` is ``present``."
diff --git a/lib/ansible/modules/crypto/entrust/ecs_domain.py b/lib/ansible/modules/crypto/entrust/ecs_domain.py
index bee6e625736..cda4dea53a0 100644
--- a/lib/ansible/modules/crypto/entrust/ecs_domain.py
+++ b/lib/ansible/modules/crypto/entrust/ecs_domain.py
@@ -383,7 +383,7 @@ def ecs_domain_argument_spec():
     return dict(
         client_id=dict(type='int', default=1),
         domain_name=dict(type='str', required=True),
-        verification_method=dict(type='str', choices=['dns', 'email', 'manual', 'web_server']),
+        verification_method=dict(type='str', required=True, choices=['dns', 'email', 'manual', 'web_server']),
         verification_email=dict(type='str'),
     )
 
diff --git a/lib/ansible/modules/crypto/openssh_cert.py b/lib/ansible/modules/crypto/openssh_cert.py
index 44848449ec2..e22e27afa26 100644
--- a/lib/ansible/modules/crypto/openssh_cert.py
+++ b/lib/ansible/modules/crypto/openssh_cert.py
@@ -34,8 +34,8 @@ options:
     type:
         description:
             - Whether the module should generate a host or a user certificate.
+            - Required if I(state) is C(present).
         type: str
-        required: true
         choices: ['host', 'user']
     force:
         description:
@@ -50,29 +50,29 @@ options:
     signing_key:
         description:
             - The path to the private openssh key that is used for signing the public key in order to generate the certificate.
+            - Required if I(state) is C(present).
         type: path
-        required: true
     public_key:
         description:
             - The path to the public key that will be signed with the signing key in order to generate the certificate.
+            - Required if I(state) is C(present).
         type: path
-        required: true
     valid_from:
         description:
             - "The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
                Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | always)
                where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
                Note that if using relative time this module is NOT idempotent."
+            - Required if I(state) is C(present).
         type: str
-        required: true
     valid_to:
         description:
             - "The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp.
                Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | forever)
                where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
                Note that if using relative time this module is NOT idempotent."
+            - Required if I(state) is C(present).
         type: str
-        required: true
     valid_at:
         description:
             - "Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated.
diff --git a/lib/ansible/modules/crypto/openssl_certificate.py b/lib/ansible/modules/crypto/openssl_certificate.py
index 9f0be82ed72..37e0df485f9 100644
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@@ -68,8 +68,8 @@ options:
               M(openssl_privatekey_info) and M(assert).
             - "The C(entrust) provider was added for Ansible 2.9 and requires credentials for the
                L(https://www.entrustdatacard.com/products/categories/ssl-certificates,Entrust Certificate Services) (ECS) API."
+            - Required if I(state) is C(present).
         type: str
-        required: true
         choices: [ acme, assertonly, entrust, ownca, selfsigned ]
 
     force:
@@ -2486,9 +2486,10 @@ def main():
         supports_check_mode=True,
         add_file_common_args=True,
         required_if=[
+            ['state', 'present', ['provider']],
             ['provider', 'entrust', ['entrust_requester_email', 'entrust_requester_name', 'entrust_requester_phone',
                                      'entrust_api_user', 'entrust_api_key', 'entrust_api_client_cert_path',
-                                     'entrust_api_client_cert_key_path']]
+                                     'entrust_api_client_cert_key_path']],
         ]
     )
 
diff --git a/lib/ansible/modules/crypto/openssl_publickey.py b/lib/ansible/modules/crypto/openssl_publickey.py
index a3cbdb4fbbc..10a1bffd6a0 100644
--- a/lib/ansible/modules/crypto/openssl_publickey.py
+++ b/lib/ansible/modules/crypto/openssl_publickey.py
@@ -58,8 +58,8 @@ options:
     privatekey_path:
         description:
             - Path to the TLS/SSL private key from which to generate the public key.
+            - Required if I(state) is C(present).
         type: path
-        required: true
     privatekey_passphrase:
         description:
             - The passphrase for the private key.
diff --git a/test/integration/targets/setup_openssl/tasks/main.yml b/test/integration/targets/setup_openssl/tasks/main.yml
index 5e93a8c3c19..5a634458e2a 100644
--- a/test/integration/targets/setup_openssl/tasks/main.yml
+++ b/test/integration/targets/setup_openssl/tasks/main.yml
@@ -1,25 +1,31 @@
 ---
-- name: Incluse OS-specific variables
+- name: Include OS-specific variables
   include_vars: '{{ ansible_os_family }}.yml'
   when: not ansible_os_family == "Darwin"
 
-- name: Install pyOpenSSL
+- name: Install OpenSSL
+  become: True
+  package:
+    name: '{{ openssl_package_name }}'
+  when: not ansible_os_family == 'Darwin'
+
+- name: Install pyOpenSSL (Python 3)
   become: True
   package:
     name: '{{ pyopenssl_package_name_python3 }}'
-  when: not ansible_os_family == 'Darwin' and  ansible_python_version is version('3.0', '>=')
+  when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
 
-- name: Install pyOpenSSL
+- name: Install pyOpenSSL (Python 2)
   become: True
   package:
     name: '{{ pyopenssl_package_name }}'
   when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
 
-- name: Install pyOpenSSL
+- name: Install pyOpenSSL (Darwin)
   become: True
   pip:
     name: pyOpenSSL
-  when:  ansible_os_family == 'Darwin'
+  when: ansible_os_family == 'Darwin'
 
 - name: register pyOpenSSL version
   command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
diff --git a/test/integration/targets/setup_openssl/vars/Debian.yml b/test/integration/targets/setup_openssl/vars/Debian.yml
index 44d0aab0b3b..755c7a083ce 100644
--- a/test/integration/targets/setup_openssl/vars/Debian.yml
+++ b/test/integration/targets/setup_openssl/vars/Debian.yml
@@ -1,2 +1,3 @@
 pyopenssl_package_name: python-openssl
 pyopenssl_package_name_python3: python3-openssl
+openssl_package_name: openssl
diff --git a/test/integration/targets/setup_openssl/vars/FreeBSD.yml b/test/integration/targets/setup_openssl/vars/FreeBSD.yml
index 7613aaaba38..608689158a2 100644
--- a/test/integration/targets/setup_openssl/vars/FreeBSD.yml
+++ b/test/integration/targets/setup_openssl/vars/FreeBSD.yml
@@ -1,2 +1,3 @@
 pyopenssl_package_name: py27-openssl
 pyopenssl_package_name_python3: py36-openssl
+openssl_package_name: openssl
diff --git a/test/integration/targets/setup_openssl/vars/RedHat.yml b/test/integration/targets/setup_openssl/vars/RedHat.yml
index 678304565a7..2959932cd78 100644
--- a/test/integration/targets/setup_openssl/vars/RedHat.yml
+++ b/test/integration/targets/setup_openssl/vars/RedHat.yml
@@ -1,2 +1,3 @@
 pyopenssl_package_name: pyOpenSSL
 pyopenssl_package_name_python3: python3-pyOpenSSL
+openssl_package_name: openssl
diff --git a/test/integration/targets/setup_openssl/vars/Suse.yml b/test/integration/targets/setup_openssl/vars/Suse.yml
index f4fdb5e2eb9..2d5200f3413 100644
--- a/test/integration/targets/setup_openssl/vars/Suse.yml
+++ b/test/integration/targets/setup_openssl/vars/Suse.yml
@@ -1,2 +1,3 @@
 pyopenssl_package_name: python-pyOpenSSL
 pyopenssl_package_name_python3: python3-pyOpenSSL
+openssl_package_name: openssl
diff --git a/test/sanity/ignore.txt b/test/sanity/ignore.txt
index 9bb90b19b58..df884b0264d 100644
--- a/test/sanity/ignore.txt
+++ b/test/sanity/ignore.txt
@@ -1694,10 +1694,6 @@ lib/ansible/modules/commands/command.py validate-modules:nonexistent-parameter-d
 lib/ansible/modules/commands/command.py validate-modules:undocumented-parameter
 lib/ansible/modules/commands/expect.py validate-modules:doc-missing-type
 lib/ansible/modules/crypto/acme/acme_account_info.py validate-modules:return-syntax-error
-lib/ansible/modules/crypto/entrust/ecs_domain.py validate-modules:doc-required-mismatch
-lib/ansible/modules/crypto/openssh_cert.py validate-modules:doc-required-mismatch
-lib/ansible/modules/crypto/openssl_certificate.py validate-modules:doc-required-mismatch
-lib/ansible/modules/crypto/openssl_publickey.py validate-modules:doc-required-mismatch
 lib/ansible/modules/database/influxdb/influxdb_database.py validate-modules:doc-default-does-not-match-spec
 lib/ansible/modules/database/influxdb/influxdb_database.py validate-modules:parameter-type-not-in-doc
 lib/ansible/modules/database/influxdb/influxdb_query.py validate-modules:doc-default-does-not-match-spec