The scenario is that a certificate is created in the console, but not renewed. It's essentially a place-holder, but it's configured with a CA and all the necessary components. In some cases, this cert may also be associated with an application, or even more than one.
Then, in the logs, you may see:
Certificate Scheduled for Processing
This appears without the normal:
Admin UI - Renew Now
or similar message you would normally see.
This automated renewal of a cert is triggered by the Nightly Tasks for any cert that is not yet renewed or doesn't yet exist in the system (e.g. imported manually) due to Automatic Renewal. There is a setting: "Disable Automatic Renewal" which can be set on the certificate or in a policy. If this remains as "no" for a certificate that is NOT disabled, then the Nightly Tasks will automatically renew the certificate.
Additionally, if the certificate is configured for provisioning and has been associated with applications, it will push that cert out to all applications. This is by-design for the renewal process.
Either 1) manually enroll the cert instead of letting the process kick off during nightly tasks, or you can 2) set that switch to "yes" to disable automatic renewal, or finally, you can 3) Set the certificate to Disabled until you are ready to work with it.