Generally speaking, you should be putting the root cert in stuff. The model generally works like this:
Clients
Have the root cert "pinned" (ie embedded in trust store).
Whevever they validate a cert, it needs to trace back to some cert in their trust store, the number of intermediate certs between the end-cert and the pinned cert should be irrelevant, so there's no reason not to pin a root cert - at least from the client's perspective.
Certificate Authorities
What to do in the case of the CA key being compromised is a big concern for people who run CAs. To make the cleanup easier in the case of something bad, people usually use an "offline root":
Have your root CA sign some subordinate CAs, then unplug the root CA (if the CA is a dedicated physical server), or hide the root private key on a well-protected backup disk and make sure there are no copies floating around. This makes it very hard for hackers to steal the private key.
Do your day-to-day cert issuance, CRL publishing / OCSP, etc off the intermediates. They are connected to the internet and therefore at higher risk of compromise.
In the case of compromise of an intermediate CA, you can fire up your root CA, revoke that intermediate, bring up a brand new intermediate and re-issue all of the legitimate certs that got incidentally revoked.
Servers that were using certs signed by that intermediate will have to install the newly-issued cert since their old ones are now revoked.
Clients will be completely unaffected since they have pinned the root cert, so swapping around the intermediates has absolutely no effect.
As a though-experiment, compare the above to what you would have to do if your root CA key gets compromised. Since it can take months to years for a root to get embedded in the public browsers, vpn clients, other servers, etc it probably means the CA will go out of business.
Advantages of pinning a root, vs pinning an intermediate:
- The example above illustrates that pinning the root makes it MUCH easier to cleanup from a compromise because you can simply revoke the compromised intermediate, re-issue some certs and move on with your life.
- There are fewer certs in your trust store. If everybody had to pin every intermediate, everybody's trust stores would be much larger to the point where it could impact the performance of cert validation since searching the trust store would take longer.
- Load-balancing: by pinning the root you're free to re-arrange the topology of your intermediates, or even put them behind a load-balancer for handling cert requests and the clients won't care.