Why would I choose SHA-256 over SHA-512 for a SSL/TLS certificate?
From a security perspective, it would be pretty pointless. In practical terms, SHA-256 is just as secure as SHA-384 or SHA-512. We can't produce collisions in any of them with current or foreseeable technology, so the security you get is identical.
From a non-security perspective, the reasons to choose SHA-256 over the longer digests are more easily apparent: it's smaller, requiring less bandwidth to store and transmit, less memory and in many cases less processing power to compute. (There are cases where SHA-512 is faster and more efficient.)
Third, there are likely compatibility issues. Since virtually no one uses certs with SHA-384 or SHA-512, you're far more likely to run into systems that don't understand them. There are probably fewer issues now than in the past, but again, you're buying yourself risk for no gain.
So, at the present time, there are no clear advantages to choosing SHA-384 or SHA-512, but there are obvious disadvantages. This is why SHA-256 is the universal choice for modern certs for websites.
The only real advantage that SHA-512 might have over SHA-256 is collision resistance, a term that in cryptography has a very narrow meaning. SHA-256 claims 128-bit collision resistance, SHA-512 claims 256-bit. If or when a practical quantum computer is built, we might need the 256-bit collision resistance.
Since SSL certificates typically have expiration dates in a relatively short term, it's just fine to get a SHA-256 certificate today, because it'll expire before a practical quantum computer is built (if that ever happens).
Apart from that:
- SHA-256 outputs are shorter, which saves bandwidth.
- Different hardware favors different functions. SHA-512 is generally faster on 64-bit processors, SHA-256 faster on 32-bit processors. (Try the command
openssl speed sha256 sha512
on your computer.) - SHA-512/256 sits right in between the two functions—the output size and security level of SHA-256 with the performance of SHA-512—but almost no systems use it so far.