diff --git a/src/azure-cli-core/azure/cli/core/auth/identity.py b/src/azure-cli-core/azure/cli/core/auth/identity.py
index 49894903fc0..c49191d4fba 100644
--- a/src/azure-cli-core/azure/cli/core/auth/identity.py
+++ b/src/azure-cli-core/azure/cli/core/auth/identity.py
@@ -279,19 +279,35 @@ def __init__(self, entry):
         self.__dict__.update(entry)
 
         if self.certificate:
-            from OpenSSL.crypto import load_certificate, FILETYPE_PEM, Error
+            from cryptography.x509 import load_pem_x509_certificate
+            from cryptography.hazmat.primitives import hashes
+
             try:
-                with open(self.certificate, 'r') as file_reader:
-                    self._certificate_string = file_reader.read()
-                    cert = load_certificate(FILETYPE_PEM, self._certificate_string)
-                    self._thumbprint = cert.digest("sha1").decode().replace(':', '')
+                with open(self.certificate, 'rb') as f:
+                    certificate_bytes = f.read()
+                    self._certificate_string = certificate_bytes.decode('utf-8')
+
+                    # Calculate SHA1 thumbprint of the PEM certificate.
+                    # The certificate should look like
+                    #   -----BEGIN CERTIFICATE-----
+                    #   ...
+                    #   -----END CERTIFICATE-----
+
+                    # For invalid certificate, load_pem_x509_certificate will raise:
+                    #   ValueError: Unable to load PEM file.
+                    x509_cert = load_pem_x509_certificate(certificate_bytes)
+
+                    # x509_cert.fingerprint(hashes.SHA1()) generates a thumbprint like
+                    #   b'\xd4S\x17\x08...'
+                    self._thumbprint = x509_cert.fingerprint(hashes.SHA1()).hex().upper()
+
                     if entry.get(_USE_CERT_SN_ISSUER):
                         # low-tech but safe parsing based on
                         # https://github.com/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h
                         match = re.search(r'-----BEGIN CERTIFICATE-----(?P<cert_value>[^-]+)-----END CERTIFICATE-----',
                                           self._certificate_string, re.I)
                         self._public_certificate = match.group()
-            except (UnicodeDecodeError, Error) as ex:
+            except (UnicodeDecodeError, ValueError) as ex:
                 raise CLIError('Invalid certificate, please use a valid PEM file. Error detail: {}'.format(ex))
 
     @classmethod
diff --git a/src/azure-cli-core/setup.py b/src/azure-cli-core/setup.py
index 6e06c7a61a1..7e154202c02 100644
--- a/src/azure-cli-core/setup.py
+++ b/src/azure-cli-core/setup.py
@@ -62,7 +62,6 @@
     # psutil can't install on cygwin: https://github.com/Azure/azure-cli/issues/9399
     'psutil>=5.9; sys_platform != "cygwin"',
     'PyJWT>=2.1.0',
-    'pyopenssl>=17.1.0',  # https://github.com/pyca/pyopenssl/pull/612
     'requests[socks]',
     'microsoft-security-utilities-secret-masker~=1.0.0b2',
 ]
diff --git a/src/azure-cli/setup.py b/src/azure-cli/setup.py
index 5576cdf4f44..166b1855ad6 100644
--- a/src/azure-cli/setup.py
+++ b/src/azure-cli/setup.py
@@ -141,6 +141,7 @@
     'pycomposefile>=0.0.29',
     'PyGithub~=1.38',
     'PyNaCl~=1.5.0',
+    'pyOpenSSL>=17.1.0',
     'scp~=0.13.2',
     'semver==2.13.0',
     'setuptools',