You don't need to make a certificate chain, but I'd consider it good practice. You'd install 1 self-signed certificate that's marked as a Certificate Authority (CA) on your windows computers then you can create more certificates and sign them with your CA certificate and the computers will trust them. For common name of the CA certificate, I use CompanyName-CA and not a URL.
When you install the CA certificate, you have to install it to the local system store. By default windows selects the user profile store. For SSTP VPNs, it must go to the local system store.
Then create a new key and new certificate where CN=YourURL.ddns.org and sign it with your CA certificate.
Now install that certificate and it's private key into the Mikrotik. The Mikrotik does not need the CA certificate installed unless you will be using client side certificates as well that will be verified.
When importing the Key and Cert on the Mikrotik, I use PEM format. Some of the other formats didn't work for me. There is an order to import on the Mikrotik and I can't remember. Key then Cert or Cert then Key. Winbox will show the certificate as having a private key, flag=K.
Then of course, don't forget to set the cert in the SSTP server. If you don't, it doesn't tell you in the log, the VPN just gets forcibly closed.
SSTP VPNs do encryption in the CPU and will be slower than L2TP/IPSec. SSTP VPNs work entirely over TCP/443 so it's very NAT friendly. L2TP/IPSec is UDP port 4500. Since SSTP uses the same port as HTTPS, it's the most likely VPN to get around firewalls. If your SSTP VPN maxes out your CPU in the Mikrotik, you'll have packet loss and your internet will become flaky.
My SSTP implementations have worked very well.