If by certificates you mean private key authentication, then PuTTY does it. If not then i dunno.
As for the keydrive thing... WinZip, WinAce, and WinRar on there is a waste. Just use (IMO) WinRar and be done with it. There is no need for all three as the latter two do all WinZip does and more.
I'd prolly throw something like ehtereal on there too (I have not checked how big it is so forgive me if it's friggin huge) and a lightweight scanner like superscan (assuming this is for win systems or I'd say nmap).
Another thought is to make the keydrive itself bootable. Not all bios' will support this, I realize, but for those that do it'd be real handy.
How about
fdisk ?
NTPasswd ?
PWDump2 ?
JTR ?
TomsRTBT ?
I know I got more to add yet....
Infinite