can NRF52840 CryptoCell IP act as secure element?

The CryptoCell can store a Device root key in its internal SRAM. And the ACL — Access control lists can block read and/or write access to a region of flash. 

The common use case is to use a secure bootloader to read a key from flash and store it in the cryptocell, then use ACL to block read access to the flash region where the key is stored. 

I can not understand, before anything, Is secure to store the key in flash?

Depends on your definition of "secure".  

haakonsh said:

And the ACL — Access control lists can block read and/or write access to a region of flash. 

 Though do note IN133 Informational Notice v1.0. Talk to our Regional Sales Manager about device ordering and production programming for nRF52840's with a fix for this issue. 

Let's say that I would like to store a private key. I can create a flash section where I will store the private key and then using a secure bootloader to read that key and block the read in this section. In this way, I can jump to application (without rebooting/reset) and then again only on reset the bootloader can read the key. Am I correct? Also, what exactly means secure bootloader? 

Nikos Karamolegkos said:

Let's say that I would like to store a private key. I can create a flash section where I will store the private key and then using a secure bootloader to read that key and block the read in this section. In this way, I can jump to application (without rebooting/reset) and then again only on reset the bootloader can read the key. Am I correct?

 Yes, that's the intended use-case. 
 

Nikos Karamolegkos said:

Also, what exactly means secure bootloader? 

It means the use of signed FW images where the bootloader will verify any image it is asked to load, based on f.ex a stored key that only the bootloader has access to. 

From Secure boot and firmware updates: 
"Secure boot does a signature verification procedure on installed firmware before booting into it. This is to ensure that the firmware is authorized by the owner of the private key used to create the signature."

Nikos Karamolegkos said:

Let's say that I would like to store a private key. I can create a flash section where I will store the private key and then using a secure bootloader to read that key and block the read in this section. In this way, I can jump to application (without rebooting/reset) and then again only on reset the bootloader can read the key. Am I correct?

 Yes, that's the intended use-case. 
 

Nikos Karamolegkos said:

Also, what exactly means secure bootloader? 

It means the use of signed FW images where the bootloader will verify any image it is asked to load, based on f.ex a stored key that only the bootloader has access to. 

From Secure boot and firmware updates: 
"Secure boot does a signature verification procedure on installed firmware before booting into it. This is to ensure that the firmware is authorized by the owner of the private key used to create the signature."

Thank you. For folks that may need future help check here