Yes, in standard usage you will need to add your Root and Intermediate CA certificates to the TrustedDownloadCerts directory on the server.
This is not automatically distributed to Relays or Clients. You only need to configure this on Relays and Clients if they are performing direct Internet downloads ( using the settings for _BESClient_Download_Direct or one of the domain list variants on clients, or _BESGather_Download_CheckInternetFlag on Relays, or the “download now” ActionScript command). Otherwise, by default only the Root Server is actually doing the Internet downloads and needs the certificate trust list updated.