diff --git a/changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml b/changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml
new file mode 100644
index 00000000000..4fa09997a27
--- /dev/null
+++ b/changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_csr - improve error messages for invalid SANs."
diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py
index 504f9df098b..d1fc7162d91 100644
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@@ -378,7 +378,14 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
             extensions = []
             if self.subjectAltName:
                 altnames = ', '.join(self.subjectAltName)
-                extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
+                try:
+                    extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
+                except OpenSSL.crypto.Error as e:
+                    raise CertificateSigningRequestError(
+                        'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
+                            ', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
+                        )
+                    )
 
             if self.keyUsage:
                 usages = ', '.join(self.keyUsage)
diff --git a/test/integration/targets/openssl_csr/tasks/main.yml b/test/integration/targets/openssl_csr/tasks/main.yml
index 9cbe27058a0..23197b1e3eb 100644
--- a/test/integration/targets/openssl_csr/tasks/main.yml
+++ b/test/integration/targets/openssl_csr/tasks/main.yml
@@ -133,6 +133,14 @@
         privatekey_path: '{{ output_dir }}/privatekey.pem'
         commonName: www.ansible.com
 
+    - name: Generate CSR with invalid SAN
+      openssl_csr:
+        path: '{{ output_dir }}/csrinvsan.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject_alt_name: invalid-san.example.com
+      register: generate_csr_invalid_san
+      ignore_errors: yes
+
     - name: Generate CSR with OCSP Must Staple
       openssl_csr:
         path: '{{ output_dir }}/csr_ocsp.csr'
diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml
index 68293b91e12..89074d2b8d6 100644
--- a/test/integration/targets/openssl_csr/tests/validate.yml
+++ b/test/integration/targets/openssl_csr/tests/validate.yml
@@ -53,6 +53,12 @@
       - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
       - csr_oldapi_modulus.stdout == privatekey_modulus.stdout
 
+- name: Validate invalid SAN
+  assert:
+    that:
+      - generate_csr_invalid_san is failed
+      - "'Subject Alternative Name' in generate_csr_invalid_san.msg"
+
 - name: Validate OCSP Must Staple CSR (test - everything)
   shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
   register: csr_ocsp