Should I use Intermediate CA or Root CA certificates for VAULT_CACERT?

The domain certificate is signed by my private Intermediate CA, which is then signed by a self-signed private CA.