When the server's certificate chain is incomplete, it appears on top of the scan and also under the section: 'Additional Certificates' (if supplied), as below:

This happens when the server certificate is missing on the FortiGate. Either upload the server certificate if having already one, or create a CSR on FortiGate, complete the CA signing process, and upload it.

To fix the issue, the intermediate certificate should be imported into the FortiGate. If using a third-party certificate, this is probably included in the certificate bundle from the CA. 

To confirm which certificate is needed, this will generally be the 'Issuer' of the server certificate imported on the FortiGate.
For example, 'Sectigo Public Server Authentication CA OV R36' would be needed for the following certificate:

Download that cert from the site or take it from the cert bundle provided by the CA. It should have that name as the 'Issued to' value:

Once confirmed, import this as a 'CA Certificate' on the FortiGate. If this is used for SSLVPN, be careful! It will disconnect all connected users

At this point, the full SSL chain should be present on the FortiGate. If there are still issues, check the following:

If the certificate is signed by a third-party certificate issuer (for example, GoDaddy, DigiCert, etc.) and the server certificate chain is showing incomplete, it has to be fixed by the certificate issuer, and this is not a Fortinet issue.

The following facts are required to be checked:

• If the certificate is expired or not.
• If the certificate is revoked or not.
• The incorrect intermediate certificate for the server or end-entity certificate.
  
  

After checking and fixing this, the new intermediate certificate, along with the end entity, needs to be re-imported into the FortiGate certificate store.

Related document:

Uploading a certificate using the GUI