VPN question

I’m new to VPNs and I was wondering about the security of private keys. If a ca private key is stolen, then it can be used to issue CA certificates that could not be told apart from non-forged ones. Or can they? Isn’t there a unique number for eachprivate key that it passes to it’s issued certificates? If not there should be. What other ways are there to figure forged certificates? Dates of issue maybe? That would seem to be very time consuming. I’d appreciate any help.