IMO port knocking isn't good defense, people can always use nmap to scan for open ports then try some combinations on them. Certificate authentication is way better (in combination with disabling password login)
Certificate authorization alone may not protect you from 0-day exploits to your ssh server. Not all port knockers use that pinging ports combination technique. Again, I recommend a look at fwknop which addresses your concerns by using certificates actually.
