Common operations using Estonian eID (Linux)


Assumptions: Using Ubuntu with OpenSC

Installation Tip: Make sure to have installed OpenSC from source, rather than using the Ubuntu repositories (in other words, follow the instructions here [1] rather than using apt-get install opensc). This is necessary to avoid the

“failed: Invalid arguments
Decrypt failed: Invalid arguments ”

error as outlined in this OpenSC mailing list submission [2]. It took a while to figure out what the problem was. Hopefully outlining the troubleshooting process will help with similar problems. First, enable verbose output (in this instance we were using pkcs15-crypt) and have a look at the output. In this case, we noted the output highlighted in red here [3]. Searching for the error “Invalid Case 4 short APDUleads us to this OpenSC pull request [4], which highlights the need to install a later version of OpenSC.

Common Cryptographic operations using Estonian E-ID.

File names used:

/tmp/toSign: the file whose signature you would like to generate.

/tmp/toSign.sig: the signature of the file

/tmp/toEncrypt: the file you would like to encrypt

/tmp/Encrypted.enc: the encrypted file

/tmp/publickey.pem: the public key assigned to you, stored on your e-ID card, which is safe to distribute ( hence “public” 😉 )

Extracting Public Key for distribution

pkcs15-tool --read-public-key 01 > /tmp/publickey.pem

Generating a signature of a document (signing operation)

openssl dgst -binary -sha512 /tmp/toSign | /usr/bin/pkcs15-crypt --sign --key 01 --sha-512 --pkcs1 --raw > /tmp/toSign.sig


Verifying a signature of a document (signature verification operation)

openssl dgst -sha512 -verify /tmp/publickey.pem -signature toSign.sig /tmp/toSign

Encrypting a file using a public key (e.g. someone needs to send data ONLY YOU can decrypt)

openssl rsautl -inkey /tmp/publickey.pem -pubin -encrypt -pkcs -in /tmp/toEncrypt -out /tmp/Encrypted.enc

Decrypting a file with your private key stored on your card

pkcs15-crypt --decipher --key 01 --input /tmp/Encrypted.enc --pkcs1 --raw


PS: The following sites have been invaluable during the investigation








Connecting Ubuntu / Mint to exchange mail and calendar

Assumptions and pre-requisites.

This article assumes the Linux user has the following installed:

  • An Ubuntu derived distribution such as Ubuntu itself, Linux Mint, and so on
  • The email client used is evolution, installed via the following packages and their dependencies:
  • evolution
  • evolution-common
  • evolution-data-server-common
  • evolution-mapi
  • evolution-ews
  • evolution-data-server-goa
  • evolution-plugins
  • gnome-online-accounts
  • gnome-control-center

Setup Details

  • Open the system menu and search / type for ‘online accounts‘. Note: you may see multiple entries for this. The correct entry is the one which allows you to select an account of type ‘Microsoft Exchange’ (see below)
  • Open online accounts and click on the “+” sign on the lower left to add an account. Make sure to select the type “Microsoft Exchange”


  • Type in your email and password
  • Expand the “custom” settings and enter:
  • Username: [email protected] (note the following format has also been reported to work: your-domain\your-username)
  • Server: (note that this is actually the domain of your outlook web access URL. For example, if your webmail URL is, then this server would be webmail.something.owa)
  • Click on connect, and very that the account is being used for mail, calendar and contacts as shown below


  • close the online accounts settings box
  • Open evolution (close and re-open if evolution was previously open)
  • Verify that the account has been successfully added in evolution by:
  • Edit > Preferences
  • Under Mail Accounts, make sure a corresponding entry to the above is visible in the window. In the below example, you see two such accounts of type ‘EWS” (also distinguishable from their icon looking like a plug, whereas other accounts do not have the icon and have the tickbox)


  • Your mail should now be visible under the evolution ‘mail’ tab, and an equivalent calendar should have been automatically added under the ‘calendar’ tab

Additional Notes

If you do not use gnome-online accounts, it is still possible to set this up (though without calendar), the one extra piece of information needed is that along with an account type of ‘EWS’, the host URL should be: Also, during troubleshooting, it is useful to see if that URL is reachable.