Scott,
You don't need to promote the secondary to primary status.
To install the CA, log into the GUI on the secondary server, then go to Users & Identity Stores, then the CA certificate section, and add the CA root certificate there.
To install a server certificate, go to System Administration, then Local Certificates and add the certificate there. You are given options to upload a certificate and a key, to create a CSR, etc.
Javier Henderson
Cisco Systems