If it's on the client side, it's impossible to ever be 100% secure
without server verification: you can't encrypt a decryption key, you have
to leave it in plaintext somewhere.
At the same time it's normally sufficient to just add a verification to
the licence - eg the certificate has a line which is the hash of the
certificate, plus a salt hardcoded in your application. If the user tries
to edit their licence, the hash will change and you can throw an error.
With decryption keys, you should look at public/private key pairs, but
as above, you can't encrypt the decryption key (at least, not without
storing another unencrypted key)