You are getting a few things confused, all SSL certs have a private key and a public key. CAs are used to sign other keys “say that CA XYZ trusts cert 123”. Typically, a CA will make short-er term certs “intermediary certs”, and these are actually what is used to sign user certs. With the intermediary cert signed by the “root” CA cert.

When you have a website you make a private key (just pick a random prime basically), and a CSR that has details about your cert you want to make (what website it should be for), and the CA uses their intermediary cert to sign your CSR to make a crt file (your cert, which has some of the info from your CSR, and a signature, which will work with your private key). Note, the CA never gets your private key, it is NOT within the CSR.

A bundle is just a list of certs, and it’s used by things like web browsers to verify signatures. The CA bundle is typically configured by your browser so that the browser trusts any cert signed by any cert in the bundle. Since it contains all intermediary certs, it should always work.

Now, when a CA makes a new intermediary cert for signing certs, that might not be in everyone’s bundle, but the root CA is. So when making certs your CA will give you the cert chain (all intermediary certs between your cert and the root), and tell you to configure your server to include this with it’s certs. Now when a browser connects they’ll get all the certs in the chain, and can look it up in the bundle for certs, and it will match against the root cert and that will be enough to prove your servers cert is good.