If the root CA is in a place that is inaccessible then there are no CRLs to check against for example. Root CA may exist outside of the airgapped env. Especially if the root CA is one that produces self signed certs. You are back to insecure TLS
A root doesn’t produce “self-signed certificates”. That especially doesn’t make any sense. What do you think the “self” references in “self-signed” certificate?
Add the root to your trust store, if you trust it, and you’re done.
What’s more concerning is someone working on (assumingly) secure, sensitive, air-gapped networks knows this little about TLS?
You mean create a root CA, install it as a trusted CA on _every single_ client that will interact with the client, manage revocations (whole thing in itself), and handle all the other management that goes along with being an authority (local or otherwise, it makes little difference).
There's nothing stopping you for creating your own root CA and using it to sign certificates for any other domain. You can create a certificate for google.com if you wanted and be signed with your own CA.
Now, obviously, you couldn't actually use that certificate publicly. If you were to try to MitM someone, their client wouldn't accept the certificate because your root CA's certificate won't be in their trusted list.
But add that root CA to your own system, and it'll work fine.