As long as *accounts* are included in the certification, the Identity Vault accounts (or any authoritative or non-revokable accounts) will be included. You could add an Exclusion Rule to the Certification definition to omit these accounts - or, yes, select all of the applications with accounts that you want to certify that can be revoked.