The free certs from https://letsencrypt.org/ do indeed work as described. I wanted to check them out for some public facing services I wanted to run.
To get the certificate you run a program on a host that DNS resolves to the cert you want to get – so if “foo.example.com” resolves to 10.6.6.6, you need to install the cert generation program on 10.6.6.6, and have either 80 or 443 free (I didn’t look too much into this, but I think that’s correct.)
I had to briefly open the firewalls on those ports because I was testing the certs out on services that don’t run on 443, but some other fairly random port.
Obviously this cries out for automation (ansible/chef/puppet or whatnot), but it’s also interesting to think about what would happen if you’re compromised, since attackers can generate valid certs for your domain.
Some interesting attacks can/will come out of this.