If the root CA is in a place that is inaccessible then there are no CRLs to check against for example. Root CA may exist outside of the airgapped env. Especially if the root CA is one that produces self signed certs. You are back to insecure TLS
A root doesn’t produce “self-signed certificates”. That especially doesn’t make any sense. What do you think the “self” references in “self-signed” certificate?
Add the root to your trust store, if you trust it, and you’re done.
What’s more concerning is someone working on (assumingly) secure, sensitive, air-gapped networks knows this little about TLS?