No private key should be needed.
There's 2 different cert install options.
== SSL route ==
9) Security -> 3) Add SSL cert:
Running Add SSL Certificate
Choose the certificate file.
(The file must be in PKCS12 format with ".pfx" or ".p12" filename extension and should contain both the private key and the certificate.)
== CSR route ==
9) Security -> 11) Generate CSR
The Generate CSR creates a private key that only the AMP server needs to know about, and the private key gets overwritten if you generate a new CSR.
When you get the signed cert, upload it into AirWave using either the upload option [AMPCLI Main -> 3) Upload] or using the file transfer user option [8) Advanced -> 7) Add File Transfer User]
Once uploaded, use the signed cert option
9) Security -> 12) Install Signed Certificate
Choose the certificate file.
(The file must be in PEM format with the filename extension ".crt")
It'll give you a picklist to choose your cert from.