So, in the typical implementation of it, you will have a Certification Authority that issues and digitally signs all of the certificates. When you encrypt something with someone’s public key to send it to them, the CA checks that the public key you are using is valid and signed. If not, it will be rejected. If it is signed, the CA verifies it and sends it along, and the message is then decrypted with the other users *private* key.

It can’t be decrypted with the private key, only encrypted.

On top of that, actually breaking the encryption is incredibly difficult nearing impossible. The hashing algorithms now take hundreds of thousands of years to brute strength crack.

Think of it like a lock with two key holes. One key can lock it, one can unlock it, and the lock verifies that any key put in is a legitimate key that was issued. I send you something and lock it with the verified key you gave out to have people lock stuff, but only you have the key to unlock it.