Kestrel server is configured with multiple endpoints with a different certificate on each one. I can find currently used cert in debugger via
var f = HttpContext.Features.Get<ITlsConnectionFeature>();
((Microsoft.AspNetCore.Server.Kestrel.Core.Internal.TlsConnectionFeature)f)
._sslStream.LocalCertificate;
But I'm interested in reflection-free method.
NET 8
Use new context.Features.Get<ISslStreamFeature>().
For pre-NET 8
Add ServerCertificateSelector in the https options and then you can context.Features.Get<SslStream>(). See https://github.com/dotnet/aspnetcore/issues/46442#issuecomment-1420150725