Certificateless aggregate signature (CLAS) schemes enjoy the benefits of both certificateless cryptography and aggregate signature features. Specifically, it not only simplifies the certificate management without introducing the key escrow problem but also transforms many signatures into one aggregate signature to save communication and computation cost. CLAS is a powerful cryptographic tool, yet its security should be thoroughly analyzed before being implemented. In this paper, we give a new insight into the security of CLAS schemes. We introduce a potential and realistic attack called fully chosen-key attacks that has not been considered in the traditional security models and define the security model against fully chosen-key attacks. In contrast to the traditional models, the adversary is allowed to hold all the signers’ private keys and its goal is not to forge an aggregate signature but to output invalid single signatures that can be aggregated into a valid aggregate signature. We find there is no CLAS scheme secure in traditional security models that is secure against fully chosen-key attacks and then demonstrate how to reinforce the security of an existing scheme to withstand such an attack.