Using S/MIME, can I make Mail on macOS prompt for credentials just once?

Question

I configured S/MIME encryption and signing for Mail on macOS Monterey 12.2.

Even when I'm not trying to do any sort of crypto operation, I get a prompt reading "macOS wants to make changes. Enter an administrator's name and password to allow this." as pictured below. Then it asks again, and again, and again until I've helped it sort out probably every crypto operation needed for every S/MIME-encrypted/signed message in my mailbox.

Is it possible to have it prompt just once per Mail session? Or just never again?

Answer 1

This issue can occur when your personal S/MIME certificate and private key have been stored in the system keychain instead of your login keychain.

Why this happens

The Mail app needs access to your private key to decrypt messages, but it cannot access the system keychain without an administrator's consent, and - for good reasons - it is not possible to allow permanent access.

How to fix it

1. Open the Keychain Access app and search for your S/MIME certificate
2. Export the certificate and its private key to a p12 file
3. Delete the certificate and key from the system keychain
4. Select the login keychain
5. Import the p12 file
6. Make sure the certificate and private key are now in the login keychain
7. Quit and re-open the Mail app
8. You will again be asked to allow access to the login keychain, but now you can "Always allow"

Quit and re-open the Mail app to verify it's fixed. There should be no more requests.

As an alternative to exporting in importing, within the Keychain app, you can

1. copy the certificate and private key from the system keychain
2. paste them into the login keychain
3. delete them from the system keychain

However, with the export/import approach you have the advantage of a file backup, just in case anything goes wrong.

HTH!

Answer 2

(Edit: caution, this introduces a stupid security issue as pointed out by @not2savvy in the comments below. Stay with the Accepted Answer and you're good.)

What worked for me is to locate the private key in question in the System keychain and explicitly allow access to the respective app. In your case that would be "Mail", in mine, it is Outlook. After a sole, last confirmation of username & password it never asked me again when using it via Outlook.