GTD Toolkits Revisited (2017)


I’ve been using Nirvana for Getting Things Done (GTD) with some success, but it is falling down for me in two areas:

  1. When my project count is high, moving items from Inbox to the project is cumbersome because you can’t practically drag-and-drop to a project that’s 35 rows off the page. (Right-click and move is a little more compact, but still cumbersome with 35+ projects.)
  2. I want sub-projects. (Not sub-tasks – subprojects.) I have large projects at work. Those large projects have multiple deliverables. I need to attach tasks to those deliverables. Yes, I could set up each deliverable as a GTD project, but when I ask the question, “What can I do today to move along the top-level project?” separate GTD projects fails for the sub-projects. Nirvana supports one level of sub-tasks, but you can only view those sub-tasks from the parent task. (I think of Nirvana as having implemented “task steps.”)
  3. My Someday list is huge, and I’d like an outline for better managing/reviewing the things I’m not going to be doing this week.
  4. If I’m going to add outlining, I’d like a good outliner, with support for folding/collapsing child nodes.


  • Inbox, for dumping uncategorized items
  • Segregation of tasks and projects
  • Manual tagging as starred/today
  • Work vs personal segregation
  • Supports adding new items at top of list. (When I add something, it is often urgent.)
  • Fast response. (Lag harshes my mellow. This sugests but does not require that there be client-side code which is static, and it works with just data over the wire.)
  • Mark item complete (and archive it forever)
  • Throw item away
  • Manually resequence tasks
  • Ability to view the tasks at the Project level for the project, even if the project contains sub-projects.
  • Some kind of export, in case my employer decides to block access to the web site and I have to leave it
    • Maybe: runs adequately on a kindle fire, so i could use that at at&t if blocked
  • Offline capture and display of pre-synched data on Android phone. (I’d really like it to work well offline, but this is a minimal subset. I do spend time outside of cell coverage.)
  • outline: checklists, project break-downs
  • Easy move-to-area/project
  • Filter for not-assigned-to-work-or-personal
  • Identify errands
  • Review open tasks by project
  • Review just stared/today-tagged items
  • Daily preview-review
  • Completed item stays with project until move-to-archive (or forever).
  • Works well on Mac, Windows, Android phone. Synched data. Desktop apps would be nice, if they add something a site-specific-browser doesn’t.
  • Outline folding.
  • Outline formatting.
  • Checklists (I prefer checkbox over strike-through. I prefer roll-up completion tracking. i.e. auto-complete the top-level if all children are marked complete.)
  • Value commensurate with cost.
  • Send to to-do via my command-line launcher (e.g. Alfred or Slickrun)
  • Things which cannot be done by an outliner with full tagging:
    • Recurring tasks.
    • Tasks which are hidden until a future date. (e.g. Semi-annual car maint.)
    • Deadline (e.g. auto-urgent it on a date)


After some preliminary review, here are the candidates:

  • Checkvist
  • Nirvana+Workflowy
  • Remember the Milk (RTM)+Workflowy

Checkvist and integrate an outliner and to-do. I expect that integration will be more convenient for moving items between the outliner and the to-do list. OTOH, part of my trouble is that Nirvana isn’t giving me enough separation between the two. From a skills perspective, I’d prefer one tool over two.


I selected the “Candidates” above via a cursory review of capabilities. i.e. They provided to-do items and outlines. After a little more investigation I came up with some strategic differences:

  • Nirvana supports GTD natively. It understands Inbox, tasks, and projects. It isn’t ever going to do sub-projects.
  • Checkvist and RTM are general-purpose task-list managers, which can be tailored to GTD via tags, but you’re really going to have to tag everything religiously, or else they fall apart for GTD.
  • wants to integrate itself into my Google ecosystem. I’m not certain I’m comfortable with that. GMail credentials is something I do not want compromised. When I tried to access it via my employer’s network, it spun forever at “Loading document.” I suspect that the browser is trying to access Google Drive, and the firewall is blocking that.

That leaves me with:

  • Native GTD support, but no sub-projects: Nirvana+Workflowy
  • DIY GTD, with sub-projects: Checkvist or RTM+Workflowy

RTM has all the DIY-ness of Checkvist, without bringing an outliner to the table. When compared with Nirvana, it would add subprojects but the DIY-ness adds substantial “friction” to my process. So that leaves me with:

  • Nirvana+Workflowy - incremental change; need a sub-project hack; friction of moving between to-do and outline.
  • Checkvist - revolutionary change; daily friction of non-native GTD; ease of moving between to-do and outline.


  • I could use Checkvist as my outline, and see whether I want to fully migrate to it.
  • I could use Checkvist or Workflowy solely for list management, and move all date-related stuff into my calendar. The gap here is that the only way to find what I want to work on today is to scan all the sub-list, but I already do that each day, to see what to star.
  • Todoist+Workflowy. Todoist isn’t really going to work for me. You can’t control recurring appointments with precision; you can’t indent an item from the keyboard in Chrome (because they re-use the Chrome next-tab keystroke). I don’t see anything like the Next or the Focus folders from Nirvana. It gives you sub-projects but it doesn’t do anything to make them useful.


  • Workflowy supports OPML; Checkvist supports OPML; Nirvana doesn’t. That’s a barrier to easy info sharing. To move between Workflowy and Nirvana is going to be item-by-item, open-item, copy-text, switch-tab, paste. I don’t see a good copy/paste path for Todoist either.
  • There is no “not” in Checkvist tag search. You can’t search for items with neither #project nor #task. Without KNOWING all items are either project or task, I’m going to worry about losing items. (Items which I enter but do not get found by my project search or my task search.)
    • I could keep projects and tasks in separate lists, or give up on sub-projects, and rely on tasks being at level 2 and projects at level 1.
    • I could trust my daily scan for star-this items to either identify un-tagged or to simply star items which I must deal with today.
    • Tag as #na items which are Next Actions and ready to act on. Everything else is just for review anyhow.
  • Workflowy does seem to have complete search with and/not/or. They say they are working on due dates.

Workflowy vs Checkvist

  • Workflowy puts more lines on the page. Denser spacing.

  • Workflowy has a Zen-like simple appearance.

  • Workflowy has a (beta) offline desktop app. Checkvist has no desktop app.

  • Both have OPML export.

  • Checkvist has auto-backup to Dropbox. Workflowy Pro has a “backup” but they say it is not in a user-readable form. (Dunno if it is really non-readable. It is “Pro” so I can’t just look.)

  • Neither has “Someday”. You have to create a separate Someday node in your outline.

  • Workflowy has nice drag-and-drop (plus keyboard) item move; Checkvist’s drag/drop is adequate but a little twitchy.

  • Checkvist has a few things in Zapier. Neither has anything useful in IFTTT.

  • The big differences (for my use:)

    • Checkvist has an API. Workflowy has limited unofficial API which requires PHP, unofficial Perl API, and unofficial Python API.
    • Worflowy has complete tag search - Checkvist can’t do “not” and “or”. This is a big deal.
    • Workflowy puts more lines on the page. Denser spacing.
    • Checkvist has right-click, move-to-another-list; Workflowy has only drag-and-drop or move by 1 row at a time (from keyboard). Moving long distances (e.g. from Someday to active) is going to be a pain in Workflowy; I’ll need to keep separate lists in Checkvist. (Maybe I could write something using the API.)
  • The big gaps for GTD use:

    • Neither has anything like Nirvana’s “Scheduled”, which hides/defers the task until the scheduled date.

    • Checkvist has “due dates” but not starred/focus items, so due dates show up only in a due search. Workflowy has no due dates but says they are working on them.

    • Upshot: If I’m going to use either for GTD, I’m going to need to invent some way long-distance moves and of calling attention to:

      • Deferred items which should be moved to active status, based on date.
      • Active items which should be starred, based on date.
      • For the date issues:
        • Manual resolution: Use tags like #undefer-yyyy-mm-dd and #escalate-yyyy-mm-dd. That will put the earliest up-status items at the top of the tag list. Review the tag list daily.
        • Code resolution: Use the API (official or unofficial) and run a daily report (or a daily up-status job).
      • For the long-distance move issue:
        • Checkvist: Maintain separate, modest-sized lists, and move in 2 steps. (Move to list; position in list.)
        • Workflowy: Tag source and dest; search by tag; drag-and-drop; remove tags.
        • A big thing I wanted to improve about Nirvana is the long-distance move problem, and neither Checkvist nor Workflowy fully solves it.

What Am I Going to Do?

Real choices:

  • Use Workflowy or Checkvist as the electronic equivalent of paper-based GTD lists.
  • Make sub-projects work in Nirvana and use Checkvist/Workflowy to hold my Someday-not-soon.


  • Checkvist/Workflowy - decision = Checkvist:
    • Although Workflowy is more elegant and more compact, Checkvist renders Markdown and Workflowy doesn’t. This is important when embedding epically long links. But Workflowy is so much more compact than Checkvist, that it make not matter that the links are longer. You can use custom CSS with Checkvist Pro ($40/year). I should be able to use Stylish for CSS. I’m going to assume I can make Checkvist fit better via Stylish or Checkvist Pro.
    • Manually move epic-Someday items between my GTD tool and my outline.
  • GTD Tool: Stick with Nirvana
    • Figure out how to better manage sub-projects of projects (“cases” at work) in Nirvana.
      • Don’t try to manage the whole project in Nirvana. Tasks should be atomic; projects should be the final outcome plus any tasks I need to get out of my head. The purpose of a project entry is simply to track the outcome which occurs down the road AFTER it’s next-action.
    • Keep the active list for projects small enough that I can drag a new task from bottom to top of list.

Clojure With the Cursive (IntelliJ IDEA) IDE

I’m developing an app in Clojure, for personal use. I will have a source-level debugger. The only games in town are Counterclockwise (Eclipse), Cursive (IntelliJ), Visual Studio Code with the ‘Clojure Code’ extension, and Emacs.

If you are using Eclipse or Emacs for other things, you’ll probably want to use them for Clojure too. Otherwise, Cursive is your best bet.

I’m capturing my learnings/observations from an attempt to make the Cursive IDE my primary Clojure development environment. If you use it for commercial purposes, you have to pay an annual fee. (Maybe the ‘Clojure Code’ extension for Visual Studio Code is ready for prime time if that becomes relevant). You must request a new non-commercial license every 6 months, after a 30-day eval period.

Note: “IdeaIC2017.01” will be updated for newer versions. The 1st and the 5th letters are both capital “i”.

  • Note: To uninstall
    • Drag the .app to the trash.
    • Let Hazel auto-delete the settings files.
    • Delete ~/Library/Application Support/IdeaIC2017.1
    • Delete ~/Library/Preferences/IdeaIC2017.1
    • Delete ~/Library/Caches/IdeaIC2017.1
    • Delete ~/Library/Logs/IdeaIC2017.1
    • Note: It looks like if you delete all of these things and then you re-install, you re-start the 30-day eval.
  • Installing:
    • Download IntelliJ Community Edition from I got version 2017.1.3.
    • Install it
    • Launch it
    • Do not import settings
    • Select the Darcula theme
    • Select the “I’ve never used IDEA” keymap scheme
    • Select “Create a launcher script” as /usr/local/bin/idea
    • On “Tune IDEA to your tasks”:
      • Disable all the build tools
      • Enable git and github VCS
      • Disable all test tools
      • Disable Swing
      • Other Tools: Enable only Terminal, YAML, and XSLT
      • Disable Plugin Development
    • Do not install Featured Plugins
    • On the Welcome screen, select Configure > Plugins > Browse Repositories > search for Cursive > Install > Restart
    • Configure > Plugins:
      • Disable Groovy, Java Bytecode Decompiler, Kotlin. Restart.
    • Open any existing Leiningen project or create a new, throw-away project.
      • When prompted, decline EAP (beta) updates.
      • When prompted, Setup SDK. /Library/Java/JavaVirtualMachines/jdk1.8.0_131.jdk. It should populate a whole bunch of Classpath lines.
    • Install “Dark One” color theme:
      • Download from
      • Unzip
      • mkdir ~/Library/Preferences/IdeaIC2017.1/colors
      • Copy “One Dark.icls” to ~/Library/Preferences/IdeaIC2017.1/colors
      • Restart
      • PAY ATTENTION: IntelliJ IDEA > Editor > Colors & Fonts > Scheme = One Dark > When prompted, “For all IntelliJ IDEA”
  • Define keymaps. Preferences » Keymap
    • Load file in REPL (either one): Shift-Alt-Cmd-F. (To match Atom.)
    • Switch REPL ns to current file: Ctrl-N
  • Define an IDE command (and assign a keystroke) to execute a REPL command:
    • Tools→REPL→Add new REPL Command
    • Settings→Keymap
    • See “REPL Commands” at
  • TAB key auto-completes intellisense
  • Shift-F6 = rename symbol (under cursor and all references)
  • Alt-up-arrow: expand selection to next semantic unit.
  • Importing the “rebalance” project:
    • File » Open » Navigate to /Users/kevin/Sync/code/clojure/rebalance, and press the Open button.
    • edit core.clj from the project tree.
    • Run » Edit Configurations.
      • Press the “+” button.
      • Navigate to Clojure REPL/Local in the tree.
      • Run nREPL with Leiningen should be selected.
      • Press OK.
  • You should now have a REPL toolbar in the upper-right corner, with a Run and a Debug icon, among others. If you run/debug, you may see a message:
    • objc[47281]: Class JavaLaunchHelper is implemented in both …
    • Ignore it. It is inconsequential, difficult to suppress, and will go away with a future release of the JDK on Mac.
  • Troubleshooting:
    • File»Invalidate Caches seems to fix some problems.
    • Note: If the Cursive project gets hosed, go to the project directory and “rm .idea *.iml” and then re-import it.
    • Remember that src AND test have code, and a messed up namespace in one can affect ability to load the other.
    • Remember that when backing up a file within the project structure, you better rename .clj to .something-else, because it WILL compile .clj files.

Resource Monitor Window Is Empty

The Resource Monitor window is empty. You could say it is transparent. There is a title bar and a frame, but the main window body is empty/transparent.

It turns out that Resource Monitor does not work with the Windows Classic theme. It only works with an “Aero” theme enabled. Yuck!

Impacts Windows 7, and possibly others.

Quicken - Print Securities Within Accounts

I wanted to print a report showing all of my holdings, grouped by account. Quicken 2017 almost cannot do this.

  • Click on INVESTING on the blue bar above the main panel.
  • Choose Show=Value, GroupBy=Accounts, AsOf=(today)
  • Expand each account to show its holdings
  • Right-click on “Show” in the upper-left corner of the main panel
  • Choose “Print this screen”

It can be difficult to see all of the accounts, because the spacing is funny, but they really are all in there.

If you export to text, that also seems to work OK, except it seems to inject blank lines in the middle of some accounts. Also, if your fields aren’t wide enough on the screen, you’ll get “…” in your export. If that happens, go back to the page in Quicken and make the column wider (even if it looks wide enough to you).

Windows Printer Port Configuration Grayed (Disabled)

I needed to change the IP address on a Windows printer. In the search box I entered “Printers” and I selected “Devices and Printers” in Control Panel. Right-click on the printer, choose Printer Properties, and then the Ports tab. Everything is disabled. WTF?


  • Number 1 - you must be logged in as an Administrator. Logout and login if necessary.
  • Go back to the General tab for the printer. You’ll notice that the Configure button has an administrator icon. Click on that. THEN you can update the port.

This might work better:

  • Enter “cmd” in the search box.
  • Right-click on Command Prompt and choose “Run as administrator”.
  • Enter “control” into the command prompt.
  • Navigate to “View devices and printers” under “Hardware and Sound”.
  • Right-click, choose Printer Properties.
  • It was unlocked at this point, for me.

Migrated to Github Pages

I moved my blog from a self-hosted Drupal site to GitHub Pages with Jekyll. I did this for two reasons:

  • I observed an ‘unauthorized update’ to the configuration of my web server.
  • All of my content is static.

I can’t say for certain whether the unauthorized update was an intrusion or my virtual server host updated my configuratino by default. The only change I observed was that someone moved my ssh port. Whoever did it, carefully checked to ensure that the new port was open on the firewall. I can find no evidence of any other changes or activity. My VPS provider states that they did NOT make the change. I suspect that the owner of a different site on the same provider requested a port change on his host and the provider changed mine by mistake.

In the end, there is very little difference – an unauthorized change was made on my server, so now I can’t trust its integrity.

Because my content is entirely static (with the exception of user comments, which I’ve suspended due to spam), Drupal was really overkill. By migrating to GitHub pages, I make someone else responsible for server security – someone who can put a lot more time/effort into it. I retain a local copy of the entire site, so even if GitHub melts down, I can re-publish elsewhere, with no loss of content.

I’m using Jekyll to create my site from Markdown files. Actually publishing a blog post with GitHub + Jekyll is more work (and more technical) than with Drupal, so I’ve wrapped it in a script. At this point, my script assumes that I solely post to my blog from my Macbook. I need to tweak my process and my script so that I can safely add a page from another laptop/PC when I’m away from my Mac.

Prose is a spiffy tool for updating GitHub pages from a web browser. All of the logic is run by the web browser except for authentication. Ohh… Not good. That means that Prose can do anything to GitHub that I can. They say you can host the auth part on your own web server. That might be worth investigating. Links:

  • - can run from Chrome or Firefox

It looks like it is mostly abandonware. In theory, the only really scary thing is that they could delete my repository. For any other malicious change, I could always revert git.

Ahh… Silly me. You can do this from the GitHub user interface. To edit a file, just browse to the file and press the Edit button. To create a new file, browse to the _posts directory and press the Create New File button.

Prose does have a Preview feature, which GitHub doesn’t.

PKB, Word, Textedit, Markdown, nvalt and File Portability

I left Evernote. As a result, I’m re-thinking my Personal Knowledge Base (PKB) a.k.a. Personal Knowledge Management (PKM).

As givens, I use a Mac, I share data with my Windows-using wife, and I want to be able to read my documents for the next 50 years. I need:

  • A document format which works on Windows and OS X (or has a high-fidelity, low-effort conversion).
  • It works for, “Hey Susan! Take a look at this,” and then email the document or a link.
  • Works for text and images. (See “Take a look at this.”)
  • Not a lot of fuss and complexity. My personal technology environment is so complex that it sometimes dominates my free time to keep things running.
  • Fast data capture.
  • Attractive output with good formatting (rich text).

There are different kinds of documents:

  • Published documents. I don’t modify these. e.g. Bank statements, utility bills, user guides, etc. In the physical world, these are things I would store in a file cabinet or a bookcase. These don’t change.
  • Personal documentation. I modify these slowly, after initial creation. e.g. “How to Set Up My Router”, “What I Gave My Wife for Christmas”, “How to Load Points to Google Maps From a CSV”.
  • Quick capture. When I’m working on a project, I capture lots of snippets and what-I-tried. This frequently results in me having dozens of TextEdit/Notepad files with a few sentences or fragments. These should be short lifetime, but sometimes live for years.

I need Quick Capture and some Personal Documentation to be available quickly-to-immediately when I’m rebuilding my PC/Mac.

Options and Problems

  • Markdown: This is really for just text.
    • Yes, you can write markup to display an image, but the image is stored separate from the Markdown file.
    • You can store the image in a separate file or you can host it on a web site, but you can’t store it in the file.
    • This creates a problem for “Take a look at this” emails to my wife.
    • It also breaks if I forget about the relationship between the image file and the text file and I move one but not the other.
    • (Most of my text files really are just text, but when I have an image, I don’t want the document to lose it.)
    • It works well for the “can read it in 50 years.” It renders well on Mac and Windows (if I don’t lose the image).
    • Dialects of Markdown are a problem. I can’t really just pick “Markdown.” I have to pick a particular dialect. (Tables aren’t in core Gruber Markdown.) Then I have to pick Markdown tools for that variant which work on Windows and Mac.
    • Note: When I say “Markdown” I mean “Markdown without HTML.” I know you can switch to HTML in the middle of a Markdown document, but that loses the readability of raw Markdown and you have to start worrying about the evolution of HTML across 50 years.
  • TextEdit/Wordpad and RTF.
    • Sounds good. Fails in practice. When you include an image in a TextEdit document, it flips from .rtf to .rtfd (at least with El Capitan’s TextEdit).
    • .rtfd is NOT a file. It is a folder which contains files. The images are stored separately from the .rtf. This makes delivery to Windows from Mac bothersome.
    • .rtdf is NOT readable on Windows. Yes, you can view the .rtf file contained in the .rtfd folder, but the images are separate files and are not rendered when you view the .rtf.
    • You can’t convert a .rtfd with images (and retain the images) with TextEdit, textutil, Pandoc, etc. It is rumored that you can do so with Pages.
    • Use TextEdit and save everything as .webarchive? Whoops! Safari and TextEdit know .webarchive. Other browsers speak .mhtml. This flunks the “Look at this” and the read-in-50 tests.
  • TiddlyWiki is OK for some data.
    • It invites excess fiddling.
    • It fails for “Take a look at this” email.
    • It has similar image problems as Markdown. Image files are stored separately from the wiki. You can embed a small amount of images but the wiki will load slowly if you get a lot of graphics. They are stored in base-64.
    • It is ‘iffy’ on the read-in-50. Yes, it is just HTML, but browsers and HTML evolve over time. Try loading a 10 year-old web site you saved in HTML and see whether it renders perfectly. Will JavaScript still be in the browser in 2065? I doubt it.
    • It is great for being available right away, when I’m rebuilding my Mac/PC.
  • nvalt is spiffy for Quick Capture, but it really only works if you write in Markdown or plain text, and you’ve got the separate image and the Markdown variant problems again.
  • zim might be interesting, but I couldn’t get it to run reliably on Mac with about 20 minutes of effort. It is reported to work on Mac, but detailed install instructions which work on all OS X versions aren’t available.
    • This link has steps for making the Windows version run in a Wine bottle, and someone says he got it to work with the brew version of python.
    • Update: This one seems to work. This link has steps for making it run in brew python as of 2015:
    • zim uses plain text with markup. It is different markup than Markdown, but similar in concept.
    • zim plusses: plain text files, support for images, Win/Mac/Linux/Cygwin.
    • zim minuses: tables are funky - use the table plugin, attach LibreOffice spreadsheet, or hand-code the LaTex for the table using the equation editor
  • CherryTree is a popular alternative to zim, but it stores its DB in a single XML file or a sqlite DB. I want my separate notes in separate files, so plain-old Spotlight search can find them.
  • Just store everything in .doc or .docx.
    • That’s a pretty damn complex file format. I’m not sure it passes the read-it-in-50 criterion.
    • I don’t have Word on my Mac.
      • I could use LibreOffice. LibreOffice launches so slowly that I’ll start stashing things elsewhere when I’m in a hurry working on a project. It isn’t there early in the OS rebuild process.
      • I could install Office for Mac. I really hate the whole activation thing. “Hello Microsoft. May I please run the software I purchased 10 years ago?” Sure. $150 too.
      • I could run Office in a Windows VM. (I do, actually.) If I leave VMware Fusion running when I hibernate my Mac, it creates an intermittent wake-from-sleep failure. Microsoft product activation is a problem here too. $150 (plus Windows) too.
  • Google Docs? I left Evernote because I don’t trust my confidential data to cloud providers. Not all of my data is confidential, but keeping track of which is which and which is where is friction.
  • ODF/ODT instead of .doc? Well, it isn’t proprietary, but I still would have the LibreOffice issues or the issues of cost and product activation with Word.
  • Maybe I’ll create all my documents using LaTex. (Snark.)

Sheesh! I begin to understand why RFCs are issued in plain plain text.

The big thing I miss, if I use discrete files (whether plain or rich text) is hyperlinking from idea to idea (document to document). That’s something which a wiki (including TiddlyWiki) or Evernote/OneNote give me.


  • This is a good document on document lifetime. Good perspective. They seem to prefer the MultiMarkdown dialect.
  • I could use Archivematica to address long-term document readability. Archivematica’s media-type preservation plans convert .doc, .rtf, and other word processing files to Open Document Format (ODF) for preservation and to Adobe’s PDF for viewing. It fails the simplicity test. It would complicate my technology platform.

bash - Remove File Type

I never can remember this:

echo ${filename%.*}

will remove the trailing “.txt”. Mnemonic: % sorta looks like dividing two circles. “%.*” says to divide at the period, matching any file type.

I often use a for loop which looks something like:

for f in foo*.txt ; do
    echo ${f%.txt}

Keyword fodder: bash, shell script, remove file type, remove file extension, basename, base name, Linux, Unix

Kevin's Table of OpenVPN Keys, Certificates, and Authorities

Kevin’s Big List o’ Files

Sometimes I run OpenVPN on a Linux server. Sometimes I run OpenVPN on a consumer-grade router with a built-in OpenVPN. Just to be “helpful”, they don’t use identical terminology. Here’s where I keep it straight.

You’re going to need a bunch of files with certificates.  You’ll give some of these to the server, some to the clients, and some you’ll keep secretly filed away. (See also this .)

File Name

Merlin’s Name

Needed By




(settings from checkboxes, textboxes, etc.)


configuration options



Certificate Authority

server + clients

CA Root Certificate




key signing machine only

Root CA private key



Diffie Hellman parameters


Diffie Hellman parameters



Server Certificate


Server Certificate



Server Key


Server Key





Client Certificate





Client Key


ta.key (static.key)

Static Key

server + clients

Extra, optional security for connecting



Certificate Revocation List


Blacklisting of certificates



Extra Chain Certificates


Merlin has this field. I don't know what it's for.


.csr files

(not referenced)

key generation machine

Intermediate files for building certificates


Details of files:

  • ca.crt

    • All of your keys/certificates will be signed by a root certificate authority (CA). This is the certificate of your CA. You can act as your own CA or you can use a commercial CA. This document assumes you act as your own CA. Any (non-revoked) client certificate signed by this CA will be able to login to your VPN, so you may want a unique CA certificate for your VPN.

  • ca.key

    • This is the private key of your CA. You need it on you key generation machine. You do not need it on your VPN server.

  • dh{n}.pem, dh.pem

    • The Diffie Hellman algorithm generates a unique *session* key via a well-known algorithm. This is a seed for that algorithm. It allows you to "create an encryption key with someone, and then start encrypting your traffic with that key. And even if the traffic is recorded and later analyzed, there's absolutely no way to figure out what the key was.” Contrary to my expectation, you don’t have to keep this secret because parts of the DH exchange are random values. Sometimes this file is named dh2048.pem (or dh4096.pem); sometimes it is named dh.pem.

  • server.crt

    • This identifies your VPN server and contains its public key. Merlin names it server.crt. I generate two server certificates: server-raspi.crt and server-router.crt

  • server.key

    • This is your VPN server’s private key. Merlin names it server.key. I generate two server certificates: server-raspi.key and server-router.key

  • user-{n}.crt, user-pass-{n}

    • This identifies your client and contains its public key. There is one per client. Some of these are named user-pass-{n}. Those users have passworded keys.

  • user-{n}.key, user-pass-{n}

    • This is your client’s private key. There is one per client. Some of these are named user-pass-{n}. Those users have passworded keys.

  • ta.key (static.key)

    • Used for "Extra HMAC authorization” (Merlin’s name) or the “tls-auth” configuration line in OpenVPN.  This is an optional, *extra* key, used to authenticate the TLS handshake.  When your client makes its initial connection to the server, this information gets passed.  If the client doesn’t pass it, the server doesn’t respond, protecting against some attacks. OpenVPN has 2 authentication modes.  “Static Key” and “TLS”. Merlin overloads this field and uses it for BOTH methods’ static key. Merlin calls it "static.key". In my Linux config, I name it "ta.key". With Merlin, you must set “TLS control channel security” = 0, or this file won't be created.

  • crl.pem

    • Used to revoke or blacklist certificates. You revoke a certificate when someone loses the laptop/phone with that certificate. Or maybe you revoke your ex-spouse's certificate when the divorce is final. ;-)

  • .csr files

    • In order to create a certificate, you collect some data and get it signed by your Certificate Authority. The .csr files are input to the CA signing. The signed .crt files are the output. Once you have the .crt, you don't need the .csr.

I hope that helps to keep everything straight. It can be confusing!