Since the common names are going to change you will need to create new certificates and bind them to the respective services. Note that if your certificate chain changes your end nodes will need to import the new chain so that your new ISE certs are trusted accordingly. Also, keep in mind that binding of a new cert to certain services will trigger an application reload. Good luck & HTH!
We don't want to change the certificats, so we have to keep the same hostname.
So we think to remove the secondary node, replace it with a VMs which will have the same hostname, so we won't have any changes in the certificats, then to the same to the primary node, do you think it will create any problem ?
One way to accomplish what you want to do is to backup your configuration from the current nodes, and import the configuration on the new VMs. Make sure if you plan to retain your existing certs that you export the certificate along with the private key. Then after you import your config to the new VM, import the cert + priv key. Good luck & HTH!