Thank you both @ajbeamon and @josephg, brilliant replies! I apologize for not replying earlier giving you proper thanks but I was essentially away from keyboard for two weeks.
Perfect step by step @ajbeamon. I was able to replicate your SSL setup after creating a new FDB cluster 
For now I’m throwing the kitchen sink (cert file + key file + CA file + no verification) at fdbcli as my setup still doesn’t run without the CA file even with tls_verify_peers=Check.Valid=0 - but I really don’t mind as it works 
I also saw that @bnamasivayam has already fixed the “Support TLS command line options in backup” and it’s waiting to be committed. So exciting!
I am curious if there’s a way of indicating the TLS information that should be forwarded to the backup agent from the configuration file however as it’s automatically started by fdbmonitor. I’m guessing the laziest setup would be (when the command line options are merged):
[backup_agent]
command = /usr/lib/foundationdb/backup_agent/backup_agent --tls_certificate_file /etc/foundationdb/fdb.pem --tls_key_file /etc/foundationdb/private.key --tls_ca_file /etc/foundationdb/cert.crt
Until then (for my and others reference), backups can be performed by starting a “TLS happy” backup agent and running the standard backup operations as expected.
FDB_TLS_CERTIFICATE_FILE="/etc/foundationdb/fdb.pem" FDB_TLS_KEY_FILE="/etc/foundationdb/private.key" FDB_TLS_CA_FILE="/etc/foundationdb/cert.crt" /usr/lib/foundationdb/backup_agent/backup_agent -C /etc/foundationdb/fdb.cluster
I’ll look at adding a few small bits to FoundationDB’s TLS docs to make it easier for the next person who doesn’t have a @ajbeamon to appear magically out of nowhere to help them 
tldr; I honestly can’t tell you how excited I am. As noted in the original post, I’m a strong believer in the FoundationDB layered philosophy but I am almost equally amazed by the responsiveness of the forums and community. I’ll be contributing to it for certain.