Why does OS X repeatedly prompt for certificate trust when joining WPA2 Enterprise WiFi

Solution 1:

I had the same issue and my solution was to change the access control on the certificate's private key to not require confirmation. Go to My Certificates, expand your certificate, and open the private key settings. You could probably be more selective and just allow whatever "application" handles WiFi, but in my case it wasn't necessary.

Solution 2:

I believe what's happening is that macOS needs access to the private key of the client certificate that EAP TLS is requesting. As has been suggested, find the client certificate in Keychain Access (if the prompt you get states that it is trying to access the "System" keychain, then search in the System keychain).

Beside the certificate there will be an arrow that allows you to expand the hierarchy, exposing the private key associated with the certificate. Expand then double-click on the key. Select Access Control.

Now if you're like me and you don't want to allow all applications to access this key, you'll need to select the eapolclient. Click the "+" symbol, then Command+Shift+G and enter "/System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources". Click "Go". Select eapolclient and click "Add", then authenticate yourself. Oddly enough, although this gives permission to eapolclient, revisiting the Access Control dialog doesn't show the newly added eapolclient.

NB: I'm running Mojave 10.14.6.