Consider the following scenario, a host controller hc1 on machine-A and a slave host controller hc2 on machine-B, they do not share a filesystem.
Currently if an user wants to import a certificate from a /host=hc1/subsystem=elytron/key-store=ks1 to /host=hc2/subsystem=elytron/key-store=ks2 he should call export-certificate on ks1 and manually copy the generated file to hc2, this can present problem on cloud environments.

So I suggest to enhance the export/import certificate operations to import the certificate directly from a key-store resource, one example may be:
/host=hc2/subsystem=elytron/key-store=ks2:import-certificate(source-resource="/host=hc1/subsystem=elytron/key-store=ks1",alias=my_alias)