diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index 1ad983fa93..ac9c25acf4 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -10,3 +10,8 @@ pylint == 2.4.4
 # Use the earliest version of mypy that works with our code base.
 # See https://github.com/Mbed-TLS/mbedtls/pull/3953 .
 mypy >= 0.780
+
+# Install cryptography to avoid import-error reported by pylint.
+# What we really need is cryptography >= 35.0.0, which is only
+# available for Python >= 3.6.
+cryptography # >= 35.0.0
diff --git a/tests/scripts/audit-validity-dates.py b/tests/scripts/audit-validity-dates.py
index 1517babb85..5947774084 100755
--- a/tests/scripts/audit-validity-dates.py
+++ b/tests/scripts/audit-validity-dates.py
@@ -34,15 +34,21 @@ import logging
 from enum import Enum
 
 # The script requires cryptography >= 35.0.0 which is only available
-# for Python >= 3.6. Disable the pylint error here until we were
-# using modern system on our CI.
-from cryptography import x509 #pylint: disable=import-error
+# for Python >= 3.6.
+import cryptography
+from cryptography import x509
 
 from generate_test_code import FileWrapper
 
 import scripts_path # pylint: disable=unused-import
 from mbedtls_dev import build_tree
 
+def check_cryptography_version():
+    match = re.match(r'^[0-9]+', cryptography.__version__)
+    if match is None or int(match[0]) < 35:
+        raise Exception("audit-validity-dates requires cryptography >= 35.0.0"
+                        + "({} is too old)".format(cryptography.__version__))
+
 class DataType(Enum):
     CRT = 1 # Certificate
     CRL = 2 # Certificate Revocation List
@@ -460,5 +466,6 @@ def main():
 
     logger.debug("Done!")
 
+check_cryptography_version()
 if __name__ == "__main__":
     main()