diff --git a/plugins/inputs/nats_consumer/README.md b/plugins/inputs/nats_consumer/README.md
index 9c3bfb2d7..205578a17 100644
--- a/plugins/inputs/nats_consumer/README.md
+++ b/plugins/inputs/nats_consumer/README.md
@@ -21,6 +21,9 @@ instances of telegraf can read from a NATS cluster in parallel.
   # username = ""
   # password = ""
 
+  ## Use Transport Layer Security
+  # secure = false
+
   ## Optional TLS Config
   # tls_ca = "/etc/telegraf/ca.pem"
   # tls_cert = "/etc/telegraf/cert.pem"
diff --git a/plugins/inputs/nats_consumer/nats_consumer.go b/plugins/inputs/nats_consumer/nats_consumer.go
index 7ee05bc17..b82e3f3a6 100644
--- a/plugins/inputs/nats_consumer/nats_consumer.go
+++ b/plugins/inputs/nats_consumer/nats_consumer.go
@@ -35,11 +35,10 @@ type natsConsumer struct {
 	QueueGroup string   `toml:"queue_group"`
 	Subjects   []string `toml:"subjects"`
 	Servers    []string `toml:"servers"`
+	Secure     bool     `toml:"secure"`
 	Username   string   `toml:"username"`
 	Password   string   `toml:"password"`
 	tls.ClientConfig
-	// Legacy; Should be deprecated
-	Secure bool `toml:"secure"`
 
 	// Client pending limits:
 	PendingMessageLimit int `toml:"pending_message_limit"`
@@ -66,8 +65,7 @@ type natsConsumer struct {
 var sampleConfig = `
   ## urls of NATS servers
   servers = ["nats://localhost:4222"]
-  ## Deprecated: Use Transport Layer Security
-  secure = false
+
   ## subject(s) to consume
   subjects = ["telegraf"]
   ## name a queue group
@@ -77,6 +75,9 @@ var sampleConfig = `
   # username = ""
   # password = ""
 
+  ## Use Transport Layer Security
+  # secure = false
+
   ## Optional TLS Config
   # tls_ca = "/etc/telegraf/ca.pem"
   # tls_cert = "/etc/telegraf/cert.pem"
@@ -147,18 +148,14 @@ func (n *natsConsumer) Start(acc telegraf.Accumulator) error {
 		opts.Password = n.Password
 	}
 
-	// override TLS, if it was specified
-	tlsConfig, err := n.ClientConfig.TLSConfig()
-	if err != nil {
-		return err
-	}
-	if tlsConfig != nil {
-		// set NATS connection TLS options
+	if n.Secure {
+		tlsConfig, err := n.ClientConfig.TLSConfig()
+		if err != nil {
+			return err
+		}
+
 		opts.Secure = true
 		opts.TLSConfig = tlsConfig
-	} else {
-		// should be deprecated; use TLS
-		opts.Secure = n.Secure
 	}
 
 	if n.conn == nil || n.conn.IsClosed() {