(from Loading SSL keys onto client, which ones?):
As with most tricky things in computers, it depends. 
If you choose to go the "be your own CA" route: Download and run GitHub - jsha/minica: minica is a small, simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used. with --domains <your server name>. Then use the resulting minica.pem as ca-cert.pem. Make careful backups of all the generated files - without them you won't be able to make new certificates when you need them. Install <your server name>/cert.pem and <your server name>/key.pem on your server. And be prepared to re-run minica and install the new certs on your server a few months the old ones expire.
If you choose to go the "trust external CAs (like Let's Encrypt)" route: Make a plan for updating the firmware on your device, or at least updating ca-cert.pem. Before that plan is made, figuring out what to put in ca-cert.pem is premature.