After spending some agonizing hours in a world of x509 & al. (i.e. including but not limited to trying to generate e.g. correct root CA and codesigning certificates with the help of a openssl etc.) the solution turned out to be quite simple and obvious.
So...in order to get midlet a) signed and b) work correctly in 6600 (4.09.1) (as a trusted third party software) one might want to do this:
1) Create a RSA key with keytool like:
keytool -genkey -keyalg RSA .....
2) Self certificate the key:
keytool -selfcert .....
3) Export self certified key:
keytool -export -file some.cer .....
4) Send this some.cer to 6600 via e.g. bluetooth, save it and adjust trust settings
5) Use Sun's WTK...File --> Utilities --> Sign Midlet --> Import Key Pair...(from a keystore where you had just put your newly created certificate)
6) Sign your midlet with this certificate and download it via OTA to 6600 or send it via bluetooth (remember to send both jad and jar).
Summasummarum...after these operations user can give a permission for a midlet to use e.g. PushRegistry alarms so that firmware doesn't always request confirmation from an end user.