Your chain should start with the certificate that signs your server's certificate and continue up to, but not including, a root certificate that's trusted in all browsers.
Certificates can have multiple chains to a root certificate, some longer than the others, so to optimize you should pick the shortest chain. There's a trade-off to be made with browser support, because a short chain might be to a root that's not trusted in all browsers. The chain cert generator[1] picks the shortest chain that's to a root that's trusted in all reasonably recent browsers (basically everything you're likely to encounter today except Android 2.2, which is woefully lacking in both root certificates and modern TLS support).
An FAQ is a good idea; OCSP stapling seems a little out-of-scope but I'll think about it.
That would support any number of intermediates and remove the need to concatenate certificates into a single file. Terminating with the root certificate would be optional, but if present the server could perform a check to verify the chain to the very end when starting.
Certificates can have multiple chains to a root certificate, some longer than the others, so to optimize you should pick the shortest chain. There's a trade-off to be made with browser support, because a short chain might be to a root that's not trusted in all browsers. The chain cert generator[1] picks the shortest chain that's to a root that's trusted in all reasonably recent browsers (basically everything you're likely to encounter today except Android 2.2, which is woefully lacking in both root certificates and modern TLS support).
An FAQ is a good idea; OCSP stapling seems a little out-of-scope but I'll think about it.
[1] source code here = https://github.com/SSLMate/mkcertchain