eternal_noob Maybe this crazy idea using asymmetric cryptography work:
First, your client and server must be able to communicate securely, recognizing each other as valid interlocutors.
You can do this with a personal TLS certificate that your company specifically issues and integrates into both the client and the server, thus creating the secure channel. Nothing without this certificate should be allowed to communicate with your server.
Second, you start with basic authentication with the server for license generation.
At this point, your server must request identification information from your client, to know if it is registered or not. Normally, it can be PC information such as the serial number of the motherboard and the main hard drive. This information must be obtained on the client and sent to the server, along with a digital signature using the server's public key (all your clients must include this file, so they can use it).
Thus, the server verifies whether or not this data is already registered in its activation database. If they are registered, you know that the client has a valid license and will need to authenticate in a second process using the private key that is already registered on the server (I explain this later). But if the data is not registered, you begin the license generation process for the new client.
To generate the license, you can use a physical key that you give to the client. For example: it can be a string of 32 unique characters that are generated using the private key of your activation server through a signature reduction algorithm (such as the one used by Bitcoin or almost all cryptocurrencies when generating their public keys).
Using this key and the data already captured in the initial step, you can generate a message that contains this data, the activation key, a pair of cryptographic keys (public and private) of the client and a digital signature of everything using the server public key.
The client sends it, the server verifies and if everything is fine, your server issues a digital signature (using the client's public key that you have sent to it) that serves as an unlock key for your client. The client will be able to check during startup (you must read the file with that data) if the signature is valid, since it is signed with its own public key and has the private key for decryption and verification.
Once the process is completed, your server has the client registered both in its machine data and its public-private key, your client has a unique license and knows that it will only be able to communicate with the server using the pair of keys that they have exchanged (the public key -private client) and in case they get too smart (delete the key, change hardware, or anything) they must reactivate the license, since the initial physical key is no longer useful because it has been registered as used.
This way you make sure that:
1.- Your client is unique and identified (using PC serial data).
2.- Your client and the server have the same pair of public keys to talk to each other. In this case, the key is the one that the client sends and that has been added as part of the successful activation process.