Files in ccd are named after CN (common name) field of the certificate, so essentially you are asking "how do I make sure no duplicate CN's appear my VPN certificates".
It's CA duty to make sure certificates are correct and all information in them is valid. It is the sole purpose of having the Certificate Authority: it signs the certificates and thereby witnesses the validity of their contents. So, it's your work, as the VPN CA operator, to check everything before issuing.
To aid in that, SSL CA software permits setting various restrictions on what data could be in certificates. For instance, if you use OpenVPN's EasyRSA for CA management, by default if will prevent the issue of two simultaneously valid certificates with the same CN. In other words, if you have a certificate for CN=user, it won't sign another certificate with CN=user unless you revoke (invalidate) the previous certificate. (For this to fully work, you must use crl-verify in the VPN server configuration.) Other CA solutions also allow for the same type of restriction; for one case we used MS AD certifications services for that, and it worked as desired.
It is possible to do nasty things if you have an access the CA, for example, to alter the configuration or clone the CA store (which is a directory in case of EasyRSA) and issue "stray" certificates. This is why you must keep an eye on your CA and not let strangers to access it. Store it on the encrypted drive, store the CA private key separately, use tokens and so on. This is, again, your duty to keep everything secure.
