When the server's certificate chain is incomplete, it appears on top of the scan and also under the section: 'Additional Certificates' (if supplied), as below:

This happens when the server certificate is missing on the FortiGate. Either upload the server certificate if having already one, or create a CSR on FortiGate, complete the CA signing process and upload it.

To fix the issue, upload the server certificate again or generate a new CSR, depending on how the certificate is created.

To delete the expired or existing certificate, go to System -> Certificate and select the certificate to delete.

To upload the certificate again or to generate a new CSR, select 'Create/Import' and choose 'Certificate' or 'Generate CSR', as below:

For the next steps to upload the certificate or to generate a new CSR, follow the below document:

If the certificate is signed by a third-party certificate issuer(Ex. GoDaddy, DigiCert etc.) and the server certificate chain is showing incomplete it has to be fixed by the certificate issuer and this is not a Fortinet issue.

The following facts are required to be checked:

• If the certificate is expired or not.
• If the certificate is revoked or not.
• The incorrect intermediate certificate for the server or end-entity certificate.
  
  

After checking and fixing this the new intermediate certificate along with the end entity needs to be re-imported into the FortiGate certificate store.

Related article:

Uploading a certificate using the GUI