A little bit of progress on this--I was able to import the root CA cert that Google uses into the appliance's vRO instance and have successfully sent an email using that workflow. Here's what I had to do:
- Start the vRO configuration interface. The vcac-vami tool can't do this for you so I had to run service vco-configurator start
- Log into the configurator at https://<vra host>:8283/vco-config. The default credentials of vmware/vmware are still in place, and it will force you to change the password before doing anything else.
- Click the Network button on the left, then the SSL Trust Manager tab up top.
- Import the certificate. I copied the root certificate to a local file using my web browser and imported that, but importing from URL will work as well if you don't mind having a bunch of intermediate and endpoint certs in your keystore
- Restart the vRO service. Since you're already connected, the Startup Options tab in the configurator is probably the most convenient way of doing this.
Unfortunately that only allows you one import at a time, and the cacerts file in my jdk install has 89 entries. I'm not about to go through that process so many times, so hopefully there's some means of streamlining the process. It also doesn't put the cert into vRA's keystore, and I don't see any similar functionality in the vRA configuration portal.