Fake tokens was a bad way to put it - I was thinking about the alt tokens that admins have, but those aren’t linked to email.
Each email account has a set of keys, one public, one private. The public keys are published with the address listings. All the private keys are centrally (securely*) stored by the issuing authority. You might have a password on your Outlook pst folder, but that’s the extent of the protection. (It’s probably something easily cracked.)
Someone might have two current sets of keys - they might have one set for a personal account and one set for an organizational account. Or they might know someone who will set up a bogus account for them, but if they got a set of encryption keys, those keys are centrally held and if the court wants to know what’s in the emails, there is a hight probability they can find out.
My guess is they thought they were cute enough by having the second account and didn’t even bother with the keys, but that’s just my guess.
No. Typically the private key is generated in your browser and the certificate authority signs the public key in a cert request. There are other authentication schemes where a server keeps a private key and sends it to your email client when it is needed, but are not standard PKI.
If you decide to buy an email cert from verisign or someone else, they do not ever touch or see your private key.