The point is to import a root CA certificate from ISE2 (originally the primary admin node) to ISE1 (originally the secondary admin node). Now the root CA certificate is only on ISE2, so if I understand it correctly and ISE2 become unavailable, ISE1 won't be promoted to the root CA and won't be able to issue certificates.

Sorry but I'm still unsure to which certificate you are referring. Could you please share a screenshot showing which certificate are you referring to? Generally speaking both nodes should synch the trusted root certificates, however, they don't automatically synch the identity certs as those ones could be per node basis. However, if you are referring to ISE internal PKI then the primary PAN would be your root CA and that role should move when you move the primary PAN persona. With ISE you enable PAN auto-failover feature however this feature requires at least three nodes in your deployment as the third node would be the node that will check the health of the PANs. Also, with PAN auto-failover there is no preemption, which means that even if a failover happens the new PAN will remain as even after the previous primary PAN is restored until you manually re-promote the previous primary PAN to become the new primary PAN again.

I'm not sure if I understand it correctly. ISE1 node is now in the primary role, so the internal root CA certificate is supposed to be on that node. Nevertheless, the certificate still remains on ISE2. I'm confused now, which node acts as the root CA.

First of all, those certificates shouldn't be exported/imported manually by anyone. Those are ISE certificate authority certificates which are managed by ISE itself. I think you are right in saying the primary PAN should have the root CA certificate, but I don't think the root certificate will move if the primary PAN moves to the secondary PAN.

So, what I believe has happened here is that previously ISE2 was your primary PAN and at that stage the root CA certificate was generated on that node as expected. Then when you added ISE1 to the deployment, ISE1 got its node CA certificate signed by ISE2 which was still the primary PAN.

In fact, if you look at the screenshot you shared you  can see that ISE1 has a node CA certificate signed by ISE2. Now when you promoted ISE1 to become the primary PAN, the root CA certificate remained on ISE2 which I believe this is expected and I don't believe promoting the PAN would move the root CA from the original primary PAN to the new one.

Also, I believe the node CA certificate that you see on ISE1 will still be able to sign the certificates to the PSN even if the root CA certificate is on ISE2.

Alright, thank you. I've got a question though. In case of the root CA certificate stays on ISE2 and that node become unavailable, will ISE1 be able to issue certificates, for instance for BYOD? I mean, will issued certificates still be considered as trusted?

You're welcome. Yes that will be my understanding because ISE1 has already the node CA certificate signed by ISE2 root CA, so it doesn't really need ISE2 for it to sign any required certs to the PSNs to serve BYOD flow.