diff --git a/changelogs/fragments/395-csr-key_usage.yml b/changelogs/fragments/395-csr-key_usage.yml
new file mode 100644
index 00000000..9bbe9426
--- /dev/null
+++ b/changelogs/fragments/395-csr-key_usage.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - "openssl_csr and openssl_csr_pipe - the idempotency check for ``key_usage`` resulted in a crash if ``Key Agreement``/``keyAgreement`` was not set
+     (https://github.com/ansible-collections/community.crypto/issues/934, https://github.com/ansible-collections/community.crypto/pull/935)."
diff --git a/plugins/module_utils/_crypto/module_backends/csr.py b/plugins/module_utils/_crypto/module_backends/csr.py
index 56501dd9..09256185 100644
--- a/plugins/module_utils/_crypto/module_backends/csr.py
+++ b/plugins/module_utils/_crypto/module_backends/csr.py
@@ -546,7 +546,14 @@ class CertificateSigningRequestBackend:
                 return False
             params = cryptography_parse_key_usage_params(self.key_usage)
             for param, value in params.items():
-                if getattr(current_keyusage_ext.value, param) != value:
+                try:
+                    # param in ('encipher_only', 'decipher_only') can result in ValueError()
+                    # being raised if key_agreement == False.
+                    current_value = getattr(current_keyusage_ext.value, param)
+                except ValueError:
+                    # In that case, assume that the value is False.
+                    current_value = False
+                if current_value != value:
                     return False
             return current_keyusage_ext.critical == self.key_usage_critical
 
diff --git a/tests/integration/targets/openssl_csr/tasks/impl.yml b/tests/integration/targets/openssl_csr/tasks/impl.yml
index 7084ef38..96c32e02 100644
--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -165,6 +165,21 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: csr_ku_xku_change_2
 
+- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (idempotency 2)"
+  community.crypto.openssl_csr:
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    subject:
+      commonName: 'www.ansible.com'
+    keyUsage:
+      - digitalSignature
+    extendedKeyUsage:
+      - ipsecUser
+      - qcStatements
+      - Biometric Info
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ku_xku_change_2_idempotency
+
 - name: "({{ select_crypto_backend }}) Generate CSR with old API"
   community.crypto.openssl_csr:
     path: '{{ remote_tmp_dir }}/csr_oldapi.csr'
diff --git a/tests/integration/targets/openssl_csr/tests/validate.yml b/tests/integration/targets/openssl_csr/tests/validate.yml
index b00e65ed..9528738d 100644
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -56,6 +56,7 @@
       - csr_ku_xku is not changed
       - csr_ku_xku_change is changed
       - csr_ku_xku_change_2 is changed
+      - csr_ku_xku_change_2_idempotency is not changed
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
   ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"