Originally on high Sierra our WiFi and VPN certs belonged in the system keychain bit since 10.13.4 roughly they started to appear in the login keychain.
The User login keychain gets deleted following a password reset using the FV2 recovery key method.
Are there other people in a similar position?
How do I get these certificates back into the system keychain?
How are the certs handed out? via config profile?
Ultimately if you are looking to do this via script you can use /usr/bin/security.
If you do a 'man security', you will find the export and import arguments and move the certs between the 2 keychains