Personally I thing there should be a difference between setting PKI manually like set pki certificate and set pki ca vs whatever the command is to utilize letsencrypt or acme or whatever they might be called automatically through VyOS (lets say set pki letsencrypt and set pki acme etc).

I think that the set pki certificate should NOT autoimport any CA's while set pki letsencrypt and set pki acme should have that option something along with what you suggested (set pki letsencrypt certificate <certname> import-ca) or that once executed it should question the admin if the CA should be added (default yes) in case import-ca isnt defined on the command line.

Edit: One could of course argue that perhaps the letsencrypt and acme CA's should already be imported natively this way you dont have to add them.

There is no need for set pki letsencrypt or set pki acme as a PEM wil always be provided and we have a common PEM framework.

The main technical reason is (why it's not imported) that we would need to alter the CLI during a commit - which will introduce a chicken and egg problem. We have few places (e.g. system login) doing this but it's mainly discouraged. As soon as a script alters the CLI we can NOT make use of vyos-configd to run all the CLI scripts.

The most "common" idea and in parallel to normal PEM certificates would be an OP mode command to install the key into the working configuration -> import pki

vyos@vyos:~$ import pki 
Possible completions:
  ca                    Import CA certificate into PKI
  certificate           Import certificate into PKI
  crl                   Import certificate revocation list into PKI
  dh                    Import DH parameters into PKI
  key-pair              Import key pair into PKI
  openvpn               Import OpenVPN keys into PKI

Imho, this should be reflected in the documentation, at least; Ideally with an example for how to import the most recent ACME intermediates.