1: If some one has a .cia file, is there any method or tool that you can use to verify that it is a legit/good .cia file?.. And if the answer is "No", then how does the owner of the titlekeys website check if a titlekey is valid or not before adding it to the database list?..
Yes and No, it is possible to verify it, but the problem is, if someone creates a cia fom it's own legit tickets, then any other person can't install it, tickets match with the console and we modify tickets to work on any system, but this breaks the signature -> no longer valid.
To verify that a titlekey is correct, you can download the game/update on pc and use the key to decrypt it, if it's garbage -> not valid.
2: When you create decTitleKeys.bin using decrypt9, does that file contain titlekeys AND tickets? or just titlekeys?..
It contains the titleid and decrypted titlekey, not the ticket. Tickets are not needed, the important part is the key, a generic ticket can be generated from the key.
3: Actually, I still don't fully understand the difference between titlekeys and tickets.. Could some one explain when and how they are used or generated and checked?..
Tickets are like licenses, they tell your system, what licenses you own.
Titlekeys are encryption keys, they are used to decrypt CIA container.
Tickets contain titlekeys and many other values, like eshop account id, console id, title id, ...
Also eshop never checks what you have installed, this is a myth, it's the other way around, your system checks if you own it and if it's re-download able or not.
This is why it's possble to download whatever you want directly on pc.