diff --git a/acme/setup.py b/acme/setup.py
index 86870abae..bf37e6804 100644
--- a/acme/setup.py
+++ b/acme/setup.py
@@ -6,7 +6,7 @@ from setuptools import setup
 version = '1.22.0.dev0'
 
 install_requires = [
-    'cryptography>=2.1.4',
+    'cryptography>=2.5.0',
     'josepy>=1.9.0',
     'PyOpenSSL>=17.3.0',
     'pyrfc3339',
diff --git a/certbot/certbot/ocsp.py b/certbot/certbot/ocsp.py
index 84068ebf1..51d486b6b 100644
--- a/certbot/certbot/ocsp.py
+++ b/certbot/certbot/ocsp.py
@@ -14,6 +14,7 @@ from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
+from cryptography.x509 import ocsp
 import pytz
 import requests
 
@@ -23,14 +24,6 @@ from certbot import util
 from certbot.compat.os import getenv
 from certbot.interfaces import RenewableCert  # pylint: disable=unused-import
 
-try:
-    # Only cryptography>=2.5 has ocsp module
-    # and signature_hash_algorithm attribute in OCSPResponse class
-    from cryptography.x509 import ocsp  # pylint: disable=ungrouped-imports
-    getattr(ocsp.OCSPResponse, 'signature_hash_algorithm')
-except (ImportError, AttributeError):  # pragma: no cover
-    ocsp = None  # type: ignore
-
 
 logger = logging.getLogger(__name__)
 
@@ -40,7 +33,7 @@ class RevocationChecker:
 
     def __init__(self, enforce_openssl_binary_usage: bool = False) -> None:
         self.broken = False
-        self.use_openssl_binary = enforce_openssl_binary_usage or not ocsp
+        self.use_openssl_binary = enforce_openssl_binary_usage
 
         if self.use_openssl_binary:
             if not util.exe_exists("openssl"):
diff --git a/certbot/setup.py b/certbot/setup.py
index 5a6823053..0fb00c058 100644
--- a/certbot/setup.py
+++ b/certbot/setup.py
@@ -50,7 +50,7 @@ install_requires = [
     # in which we added 2.6 support (see #2243), so we relax the requirement.
     'ConfigArgParse>=0.9.3',
     'configobj>=5.0.6',
-    'cryptography>=2.1.4',
+    'cryptography>=2.5.0',
     'distro>=1.0.1',
     'josepy>=1.9.0',
     'parsedatetime>=2.4',
diff --git a/certbot/tests/ocsp_test.py b/certbot/tests/ocsp_test.py
index e47b99f3b..c102667bc 100644
--- a/certbot/tests/ocsp_test.py
+++ b/certbot/tests/ocsp_test.py
@@ -10,6 +10,7 @@ from cryptography.exceptions import InvalidSignature
 from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
+from cryptography.x509 import ocsp as ocsp_lib
 import pytz
 
 from certbot import errors
@@ -21,15 +22,6 @@ except ImportError: # pragma: no cover
     from unittest import mock
 
 
-try:
-    # Only cryptography>=2.5 has ocsp module
-    # and signature_hash_algorithm attribute in OCSPResponse class
-    from cryptography.x509 import ocsp as ocsp_lib  # pylint: disable=import-error
-    getattr(ocsp_lib.OCSPResponse, 'signature_hash_algorithm')
-except (ImportError, AttributeError):  # pragma: no cover
-    ocsp_lib = None  # type: ignore
-
-
 out = """Missing = in header key=value
 ocsp: Use -help for summary.
 """
@@ -139,8 +131,6 @@ class OCSPTestOpenSSL(unittest.TestCase):
         self.assertEqual(mock_log.info.call_count, 1)
 
 
-@unittest.skipIf(not ocsp_lib,
-                 reason='This class tests functionalities available only on cryptography>=2.5.0')
 class OSCPTestCryptography(unittest.TestCase):
     """
     OCSP revokation tests using Cryptography >= 2.4.0
diff --git a/letstest/scripts/test_sdists.sh b/letstest/scripts/test_sdists.sh
index 562169524..4434ce98c 100755
--- a/letstest/scripts/test_sdists.sh
+++ b/letstest/scripts/test_sdists.sh
@@ -20,15 +20,6 @@ TEMP_DIR=$(mktemp -d)
 CONSTRAINTS="$TEMP_DIR/constraints.txt"
 cp tools/requirements.txt "$CONSTRAINTS"
 
-# We pin cryptography to 3.1.1 and pyopenssl to 19.1.0 specifically for CentOS 7 / RHEL 7
-# because these systems ship only with OpenSSL 1.0.2, and this OpenSSL version support has been
-# dropped on cryptography>=3.2 and pyopenssl>=20.0.0.
-# Using this old version of OpenSSL would break the cryptography and pyopenssl wheels builds.
-if [ -f /etc/redhat-release ] && [ "$(. /etc/os-release 2> /dev/null && echo "$VERSION_ID" | cut -d '.' -f1)" -eq 7 ]; then
-  sed -i 's|cryptography==.*|cryptography==3.1.1|g' "$CONSTRAINTS"
-  sed -i 's|pyopenssl==.*|pyopenssl==19.1.0|g' "$CONSTRAINTS"
-fi
-
 
 PLUGINS="certbot-apache certbot-nginx"
 # build sdists
diff --git a/tools/oldest_constraints.txt b/tools/oldest_constraints.txt
index 9cdf9f81d..00d871ad6 100644
--- a/tools/oldest_constraints.txt
+++ b/tools/oldest_constraints.txt
@@ -17,7 +17,7 @@ colorama==0.4.4; python_version >= "3.6" and python_full_version < "3.0.0" and s
 configargparse==0.10.0
 configobj==5.0.6
 coverage==5.5; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version < "4" and python_version >= "3.6"
-cryptography==2.1.4
+cryptography==2.5.0
 cython==0.29.24; (python_version >= "2.6" and python_full_version < "3.0.0") or (python_full_version >= "3.3.0")
 distlib==0.3.2; python_version >= "3.6" and python_full_version < "3.0.0" or python_version >= "3.6" and python_full_version >= "3.5.0"
 distro==1.0.1
diff --git a/tools/pinning/oldest/pyproject.toml b/tools/pinning/oldest/pyproject.toml
index 70ec89729..077d5ea0a 100644
--- a/tools/pinning/oldest/pyproject.toml
+++ b/tools/pinning/oldest/pyproject.toml
@@ -60,7 +60,7 @@ cffi = "1.9.1"
 chardet = "2.2.1"
 cloudflare = "1.5.1"
 configobj = "5.0.6"
-cryptography = "2.1.4"
+cryptography = "2.5.0"
 distro = "1.0.1"
 dns-lexicon = "3.2.1"
 dnspython = "1.15.0"