Need help with SSL config

I'm trying to use the tcp input plugin but having trouble understanding the various SSL options. I know I need to set the ssl_enable to true but am unsure of the other options: ssl_cacert, ssl_cert, ssl_key, and ssl_key_passphrase. Can someone provide a typical scenario where encrypted messages are sent to and received by the tcp input plugin? Something a little more than "The path to the SSL certificate the connection should use" would be helpful. I understand the basics of SSL but find it hard to map what I know onto these options. For example, is ssl_cacert or ssl_cert the public key to decrypt the messages? Or is it the ssl_key? Are all always needed?