Https injecting javascript, steal crtificate


I have a question which came to my mind regarding ssl security. Ssl encrypts data with a public key and decrypts with a private key. So in the figure

client->public key to private key-> server

Does also the server uses the same public key to encrypt before sending? The server associates each client with a public key and saves it?

So in reverse,

server->public key to private key-> client

If this is the case

A person who is arp spoofing and can edit the data passing through the network could use this public key to inject javascript code in middle of the content since most likely it will html page being rendered..? So without the need of seeing the data, can we inject with only using the decryption?

Second question is,

When the client first connects to a website if the arp spoofing is implemented in the same network, on the first hand shake, can the sniffer some how steal the private key or the ssl signed certificate? If there already exists one, tell the server or the user somehow that it is expired to obtain the new plain data one?

For example,

The ssl request The client -> the sniffer -> the webserver is being told the client does not have a valid ssl or the current one is expired and new one is requested, 

Can it intercept the plain certificate data to steal the private key the second way?

 The server(oh here take it) -> sniffer (hehe ihave the new certificate) - > the client, use this, this the new cert old one doesnt work anymore```