When a digital certificate is genned, it's possible that it doesn't have a private key. In that case, the digital certificate is not usable. How is the private key managed with Top Secret?

The private key for a certificate is created by the entity that generates the certificate. If you use the TSS GENCERT/GENREQ commands in Top Secret, then the private key is created at GENCERT time. When you pass the certificate to the CA (Certificate Authority), there is no private key passed. By default, the CA will verify the certificate for you and pass it back also WITHOUT a private key. When you then add that certificate back into the Top Secret database, the new certificate will be reconnected to the original key.

This is all handled internally in Top Secret.

In the case of a certificate generated externally (ie by a third party vendor), the process is the same. The private key is generated when the certificate is first generated, for example, under Windows. You would then need to pass that certificate to a CA for verification. When the certificate is returned, it must be brought back into Windows to be connected back up with the private key.

Once that process is complete, the certificate would then need to be EXPORTED from Windows and placed into a dataset.
This will require a password to be specified when the file is exported from Windows.

The certificate then needs to be ADDed into Top Secret in order for it to be stored there. The add process would need to specify the same password that was used at EXPORT time. The export process will have copied the certificate WITH the private key. That is why the password is required. The TSS ADD command format would look something like this:

TSS ADD(acid) DIGICERT(TESTSYS) 
LABELCERT(certificate label) 
DCDSN('TESTSYS.CERT.PKCS') 
TRUST PKCSPASS(user_specified_password) 

The certificate is not usable when there is no private key stored. You need to get the validated certificate with the private key from Windows via an export. That you can add into Top Secret.