It's a simple string and you can change it during runtime. So you can store it anywhere you like or your setup allows. Depending on the exact hardware you're using you might store it in the flash, the RTC SRAM or a connected SD card reader.
The problem is, when the certificate has changed, I cannot longer remotely connect to the ESP32 (to update the certificate).
I don't see why you cannot connect to the ESP32, as the root certificate is used for making a request from the ESP32 to an HTTPS server. So the ESP32 cannot connect to the outside world (by HTTPS) but not the other way around.
BTW: Are you sure your hoster replaces the root certificate and not some intermediate certificate?