If I understand passphrase generation correctly, it's 6 groups of 4 characters. Characters come from [A-Z1-9]-range with 1IOS5U excluded to avoid ambiguity. That's 29 distinct characters. $log_2 (29^{24})$ is approximately 116.6.

Given long-term nature of Certify-key, why not follow NIST recommended >=192 bits when storing it - for key-passphrase and/or symmetric encryption at rest?

That would require going from 6 groups to 10 groups, providing 194 bits of entropy:

export CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
  tr -d "1IOS5U" | fold -w 50 | sed "-es/./ /"{1..46..5} | \
  cut -c2- | tr " " "-" | head -1) ; printf "\n$CERTIFY_PASS\n\n"