Why Are People Still Confused After the “Abolition” of Public Certificates?
"The public certificate has been abolished."
This short news headline gave many people a sense of freedom. But in practice, things still feel... the same. Bank apps still ask you to import a “joint certificate,” and you’re still required to enter a complex password to log in. So, what exactly has changed?
Add to that the mix of terms like “digital signature,” “joint certificate,” “financial certificate,” “Kakao certificate,” “PASS,” and it’s easy to see why many users are lost.
In this post, we’ll break down:
-
What “abolishing the public certificate” really means
-
How new authentication systems differ in technology and experience
-
And most importantly, how to secure your personal certificate in today’s environment
The Inconvenient Past: Why the Old Public Certificate Was a Pain
The traditional Public Certificate system was created under the 1999 Electronic Signature Act. Only a few government-approved entities could issue it, and it was legally binding.
While it was based on standard PKI (Public Key Infrastructure) encryption, the user experience was the real issue:
-
Private key stored as a file: The private key was saved as a file in the
NPKIfolder on your PC. This file was highly vulnerable to viruses and could easily be copied and leaked. -
ActiveX & plugin hell: Users had to install various browser plugins (like ActiveX) to use the certificate — which only worked on Internet Explorer and Windows, creating major compatibility issues and frequent errors.
-
Annual renewal & complex passwords: Users had to go through a difficult renewal process every year, managing long passwords with special characters that were hard to remember.
What Did the “Abolition” of the Public Certificate Really Mean?
When the amended Electronic Signature Act went into effect in December 2020, it didn’t kill the technology. Instead, it ended its monopoly.
-
Not a technology shutdown: PKI-based encryption is still alive and used.
-
Abolished the exclusive status: The “official” title was removed, and all digital signatures — whether public or private — were granted equal legal validity.
As a result, the former public certificate was rebranded as a “joint certificate”, and new players like Kakao, Naver, and telecoms were allowed to introduce user-friendly digital authentication services.
Joint Certificate vs. Private Authentication: What’s the Difference?
While they might appear similar, the main difference lies in how and where the private key is stored and authenticated.
| Category | Joint Certificate (Former Public Cert) | Private Certificate (Kakao, Naver, PASS, etc.) |
|---|---|---|
| Key Storage | A file managed by the user (PC, USB, token) | Inside a secure zone of the smartphone (Secure Enclave/TEE) |
| Authentication | Manual password entry | Fingerprint, facial recognition, or smartphone PIN |
| Security Risk | Key file can be copied & misused if leaked | Key never leaves the device; must unlock phone to use |
| User Experience | May require plugin installations and file transfers | App-based, seamless pop-up authentication |
In short, private certificates are safer and more convenient because the private key is locked inside the smartphone’s hardware, and authentication happens through biometric verification — not by typing long passwords.
How to Secure Your Digital Certificate (Best Practices)
Different types of certificates require different security approaches. Here's how to handle them safely:
1. Joint Certificates (Legacy Public Certificates)
Since the certificate is a file, how you store it is critical.
-
Storage: Avoid saving it on your PC’s internal drive (especially C:). Ideally, use a hardware security token (HSM). Alternatively, store it on a dedicated USB stick that’s only connected when needed.
-
Password: Use a long, unique password not used anywhere else — a mix of letters, numbers, and symbols.
-
Renewals: Reset immediately if you forget your password or suspect it’s been compromised.
-
PC Disposal: Before selling or discarding a computer, delete the entire
NPKIfolder underC:\Users\[Username]\AppData\LocalLow.
2. Private Mobile Certificates (Kakao, Naver, etc.)
In these systems, the smartphone is the vault — so securing your device is key.
-
Enable Strong Locks: Use fingerprint, PIN, or face unlock — not just swipe or simple patterns.
-
App-specific Locks: Add an extra layer of security by locking apps that handle authentication (like KakaoTalk or Naver).
-
Prepare for Loss: Enable Find My Mobile or equivalent to remotely lock or wipe your device if lost.
-
Beware of Fake Requests: Hackers may trick users into approving authentication pop-ups they didn’t request. Never approve a login unless you initiated it.
Choosing the Right Certificate for You
The abolition of public certificates was not the end of a technology — it was the beginning of freedom of choice.
The government no longer enforces a single method. Now it’s up to users to select an authentication solution that suits their needs.
-
If you need to use the certificate across multiple devices or institutions:
The Joint Certificate stored in a USB or token is still a valid and flexible option. -
If you prioritize convenience and mobile-first access:
Private Certificates from Kakao, Naver, or PASS are far more user-friendly and secure.
Digital Signatures Are Here — Manage Them Wisely
We’re living in the age of digital signatures. With that comes both responsibility and control.
Instead of being forced into one way of doing things, users now have secure, convenient options — but that also means being aware and proactive about managing your credentials.
Start by checking:
-
Is your certificate securely stored?
-
Is your smartphone well protected?
-
Are you approving only the authentication requests you initiated?
The future of digital authentication is bright — but only if you treat your certificate like the key to your digital life.
댓글
댓글 쓰기